WinHttpCertCfg a Command Line Certificate Configuration Tool

If you need a command-line tool that enables administrators or developers implementing some automatic deployment tool to import certificates and their private keys for use on client computers this comes in handy for the job.What it makes an intersecting choice for your deployment toolkit is the fact that this rather obscure gem, let you install any PFX certificate (Read: Private key included) and assign the required ACL permissions to your private key process account, that typically would be the ASPNET account for Windows XP (and older systems) and the Network Service account for W2K2 or better and the better part is that it is full scriptable with just specifying the right parameters.Let’s see a quick example of the WinHttpCertCfg.exe in action. The following command imports a certificate and private key from a PFX file and extends private key access to the Network Service account.
 winhttpcertcfg -g -i "MyPfxcertificate.pfx" -c LOCAL_MACHINE\My -a “Network Service” -p pfxpassword 

 

You may find more examples here and download the WinHttpCertCfg tool here.The only drawback that has this tool is that is intended for PFX certificate file format only and if you need to install a certificate public key only like a .p7b or .crt standard formats, you will need another tool like the Certificate Manager tool (CertMgr.exe) that comes with the Microsoft .NET Framework SDK tools and its usage is very simple as well.This example installs the MyCA root certificate to the Local Machine “Trusted Root Certification Authorities” store (Root).
 certmgr -add -all -c "MyCA.p7b" -s -r localMachine Root 

 

As you see, both tools comes in handy whenever you need to build a deployment script or just assign the required permissions the a certificate private key file without the hassle of complicated APIs or obscure directory paths like “[Documents and Settings]\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys” and the like. This posting is provided "AS IS" with no warranties, and confers no rights. 
Published Wednesday, February 9, 2005 4:32 PM by HernanDL
Filed under:

Comments

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Friday, September 26, 2008 8:04 AM by Peter Styk

Life saving experience my friend.

All the best!

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Monday, October 27, 2008 12:45 PM by A

Yes, very helpful!!! CERTMGR worked beautifully for the job!

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Monday, May 11, 2009 6:47 AM by PINO

To add a new certificate this way works, but now I want to delete the old certificate (not deleting the whole store). Seems that I can't get it to work :S

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Thursday, January 6, 2011 3:24 PM by Travis

Hey thanks a lot for posting this - very helpful.  Especially the part about certmgr, it's going to save me a lot of time on server setups now that I can just script all of this stuff out!

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Friday, February 4, 2011 7:32 PM by Greg

These are useful tools but after banging my head against the wall trying to use winhttpcertcfg, I gotta vent: If anything at all is wrong with your command line, winhttpcertcfg dumps out some help text with NO indication of what is causing your problem... No event log entry that I can find... nothing. It's 2011 - what a ridiculous way to handle a error condition, please next time, just give me the finger!

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Tuesday, December 20, 2011 1:09 PM by Kobaia

Yes 2011 to 2012. This command line will not work.

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Friday, March 9, 2012 10:49 PM by Rob

I have used certmgr and winhttpcertcfg for p7b and pfx certificates respectively.  They are great.  I have found it useful for winhttpcertcfg to use the -a switch for domain groups.  I find that for certain web applications it is better to use a major domain group.  ie.

winhttpcertcfg.exe -i test.pfx -c LOCAL_MACHINE\My -a "DomainName\Account Operators" -p testpassword

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Wednesday, November 28, 2012 4:01 PM by Henrique Umeoka

Why winhttpcertcfg don´t show error or confirmation message ?

I´m typing this command and have no error message or confirmation.

winhttpcertcfg.exe -i 0480914000150.pfx -c LOCAL_MACHINE\My -a "Network Service" -p 12345678

# re: WinHttpCertCfg a Command Line Certificate Configuration Tool

Monday, January 28, 2013 6:25 PM by Fredericks

Hey! This is my first visit to your blog! We are a team of volunteers and starting a new initiative in

a community in the same niche. Your blog provided us valuable information to

work on. You have done a wonderful job!

Leave a Comment

(required) 
(required) 
(optional)
(required)