The Microsoft Windows HTTP Services (WinHTTP) certificate configuration tool,
WinHttpCertCfg.exe, enables administrators to install and configure client
certificates in any certificate store that can be accessed by the Internet
Server Web Application Manager (IWAM) account. The tool also eliminates the need
to do anything special to accounts such as the IWAM account to gain access to
certificates when using Active Server Pages (ASP).
The Microsoft Management Console (MMC) enables administrators to import client
certificates to a local machine. However, importing a certificate does not
automatically grant access to the private key for other accounts. This private
key is required for client certificate authentication. The Microsoft Windows
HTTP Services (WinHTTP) certificate configuration tool provides the ability to
grant access to additional accounts, such as the IWAM account, when needed.
File Required
The WinHTTP certificate configuration tool, WinHttpCertCfg.exe, is included in the Platform SDK. The following example shows the command line parameters that are valid for use with this tool.
winhttpcertcfg [/?]
winhttpcertcfg [-i PFXFile | -g | -r | -l] [-a Account] [-c CertStore] [-s SubjectStr]
The following table explains the parameters for the configuration tool.
| Parameter | Description |
|---|---|
| -? | Displays syntax information. |
| -i | Specifies that the certificate is to be imported from a
Personal Information Exchange (PFX) file. This parameter must be
followed by the name of the file. When this parameter is specified,
-a and -c must also be specified. |
| -g | Specifies that access is granted to a private key. When
this parameter is specified, -a, -c, and
-s must also be specified. |
| -r | Specifies that access is removed for a private key.
When this parameter is specified, -a, -c, and
-s must also be specified. |
| -l | Specifies that accounts with access to a private key
are listed. When this parameter is specified, -c and
-s must also be specified. |
| -a | Specifies the user account on the machine being
configured. This could be a local machine or domain account, such as
IWAM_TESTMACHINE, TESTUSER, or
TESTDOMAIN\DOMAINUSER. |
| -c | Specifies the location and name of the certificate
store. Use LOCAL_MACHINE or CURRENT_USER to
designate which registry branch to use for the location. The certificate
store can be any installed on the machine. Typical name examples are
MY, Root, and TrustedPeople. The
location and name of the certificate store are separated with a backward
slash; for example, LOCAL_MACHINE\Root.
Note Although the |
| -s | Specifies a case-insensitive search string for finding the first enumerated certificate with a subject name that contains this substring. |
Note The user must have sufficient privileges to use this tool, which requires the user to be an administrator and the same user who installed the client certificate, if it is already installed.
Note The WinHttpCertCfg.exe tool is not
useful for configuring certificates that are stored in a file system such as
FAT32 that does not support access control lists.
The following examples show some of the ways in which the configuration tool can be used.
winhttpcertcfg -l -c LOCAL_MACHINE\Root -s MyCertificate
winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER
winhttpcertcfg -i PFXFile -c LOCAL_MACHINE\My -a IWAM_TESTMACHINE
winhttpcertcfg -r -c LOCAL_MACHINE\Root -s MyCertificate -a IWAM_TESTMACHINE