WinHttpCertCfg a Command Line Certificate Configuration Tool

If you need a command-line tool that enables administrators or developers implementing some automatic deployment tool to import certificates and their private keys for use on client computers this comes in handy for the job.What it makes an intersecting choice for your deployment toolkit is the fact that this rather obscure gem, let you install any PFX certificate (Read: Private key included) and assign the required ACL permissions to your private key process account, that typically would be the ASPNET account for Windows XP (and older systems) and the Network Service account for W2K2 or better and the better part is that it is full scriptable with just specifying the right parameters.Let’s see a quick example of the WinHttpCertCfg.exe in action. The following command imports a certificate and private key from a PFX file and extends private key access to the Network Service account.
 winhttpcertcfg -g -i "MyPfxcertificate.pfx" -c LOCAL_MACHINE\My -a “Network Service” -p pfxpassword 


You may find more examples here and download the WinHttpCertCfg tool here.The only drawback that has this tool is that is intended for PFX certificate file format only and if you need to install a certificate public key only like a .p7b or .crt standard formats, you will need another tool like the Certificate Manager tool (CertMgr.exe) that comes with the Microsoft .NET Framework SDK tools and its usage is very simple as well.This example installs the MyCA root certificate to the Local Machine “Trusted Root Certification Authorities” store (Root).
 certmgr -add -all -c "MyCA.p7b" -s -r localMachine Root 


As you see, both tools comes in handy whenever you need to build a deployment script or just assign the required permissions the a certificate private key file without the hassle of complicated APIs or obscure directory paths like “[Documents and Settings]\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys” and the like. This posting is provided "AS IS" with no warranties, and confers no rights. 


  • Life saving experience my friend.
    All the best!

  • Yes, very helpful!!! CERTMGR worked beautifully for the job!

  • To add a new certificate this way works, but now I want to delete the old certificate (not deleting the whole store). Seems that I can't get it to work :S

  • Hey thanks a lot for posting this - very helpful. Especially the part about certmgr, it's going to save me a lot of time on server setups now that I can just script all of this stuff out!

  • These are useful tools but after banging my head against the wall trying to use winhttpcertcfg, I gotta vent: If anything at all is wrong with your command line, winhttpcertcfg dumps out some help text with NO indication of what is causing your problem... No event log entry that I can find... nothing. It's 2011 - what a ridiculous way to handle a error condition, please next time, just give me the finger!

  • Yes 2011 to 2012. This command line will not work.

  • I have used certmgr and winhttpcertcfg for p7b and pfx certificates respectively. They are great. I have found it useful for winhttpcertcfg to use the -a switch for domain groups. I find that for certain web applications it is better to use a major domain group. ie.
    winhttpcertcfg.exe -i test.pfx -c LOCAL_MACHINE\My -a "DomainName\Account Operators" -p testpassword

  • Why winhttpcertcfg don´t show error or confirmation message ?
    I´m typing this command and have no error message or confirmation.

    winhttpcertcfg.exe -i 0480914000150.pfx -c LOCAL_MACHINE\My -a "Network Service" -p 12345678

  • Hey! This is my first visit to your blog! We are a team of volunteers and starting a new initiative in
    a community in the same niche. Your blog provided us valuable information to
    work on. You have done a wonderful job!

Comments have been disabled for this content.