WinHttpCertCfg a Command Line Certificate Configuration Tool

If you need a command-line tool that enables administrators or developers implementing some automatic deployment tool to import certificates and their private keys for use on client computers this comes in handy for the job.What it makes an intersecting choice for your deployment toolkit is the fact that this rather obscure gem, let you install any PFX certificate (Read: Private key included) and assign the required ACL permissions to your private key process account, that typically would be the ASPNET account for Windows XP (and older systems) and the Network Service account for W2K2 or better and the better part is that it is full scriptable with just specifying the right parameters.Let’s see a quick example of the WinHttpCertCfg.exe in action. The following command imports a certificate and private key from a PFX file and extends private key access to the Network Service account.
 winhttpcertcfg -g -i "MyPfxcertificate.pfx" -c LOCAL_MACHINE\My -a “Network Service” -p pfxpassword 

 

You may find more examples here and download the WinHttpCertCfg tool here.The only drawback that has this tool is that is intended for PFX certificate file format only and if you need to install a certificate public key only like a .p7b or .crt standard formats, you will need another tool like the Certificate Manager tool (CertMgr.exe) that comes with the Microsoft .NET Framework SDK tools and its usage is very simple as well.This example installs the MyCA root certificate to the Local Machine “Trusted Root Certification Authorities” store (Root).
 certmgr -add -all -c "MyCA.p7b" -s -r localMachine Root 

 

As you see, both tools comes in handy whenever you need to build a deployment script or just assign the required permissions the a certificate private key file without the hassle of complicated APIs or obscure directory paths like “[Documents and Settings]\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys” and the like. This posting is provided "AS IS" with no warranties, and confers no rights. 
Published Wednesday, February 09, 2005 4:32 PM by HernanDL
Filed under:

Comments

# re:WinHttpCertCfg a Command Line Certificate Configuration Tool

Sunday, April 10, 2005 7:13 AM by TrackBack
^_^,Pretty Good!

# Certyfikaty « ZMYWAK

Thursday, May 08, 2008 4:16 AM by Certyfikaty « ZMYWAK

Pingback from  Certyfikaty « ZMYWAK

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Friday, September 26, 2008 8:04 AM by Peter Styk

Life saving experience my friend.

All the best!

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Monday, October 27, 2008 12:45 PM by A

Yes, very helpful!!! CERTMGR worked beautifully for the job!

# [CRYPTO]Basic programming resource on X509 certificates

Wednesday, March 11, 2009 7:18 AM by Steven Cheng's MSDN Notes

X509 certificates is an important component and concept in Public Key Infrastructure(for Network Security).

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Monday, May 11, 2009 6:47 AM by PINO

To add a new certificate this way works, but now I want to delete the old certificate (not deleting the whole store). Seems that I can't get it to work :S

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Thursday, January 06, 2011 3:24 PM by Travis

Hey thanks a lot for posting this - very helpful.  Especially the part about certmgr, it's going to save me a lot of time on server setups now that I can just script all of this stuff out!

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Friday, February 04, 2011 7:32 PM by Greg

These are useful tools but after banging my head against the wall trying to use winhttpcertcfg, I gotta vent: If anything at all is wrong with your command line, winhttpcertcfg dumps out some help text with NO indication of what is causing your problem... No event log entry that I can find... nothing. It's 2011 - what a ridiculous way to handle a error condition, please next time, just give me the finger!

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Tuesday, December 20, 2011 1:09 PM by Kobaia

Yes 2011 to 2012. This command line will not work.

Leave a Comment

(required) 
(required) 
(optional)
(required)