e

Automating Certificate Management with the WinHTTP Certificate Configuration Tool

Written by

adm

in

How to Use the WinHTTP Certificate Configuration Tool for Secure HTTP

What it is

The WinHTTP Certificate Configuration Tool (winhttpcertcfg or related utilities) helps configure certificates for applications that use WinHTTP on Windows so HTTPS requests present the correct client or server certificates.

When to use it

  • An application using WinHTTP needs a client certificate for mutual TLS (mTLS).
  • You must bind a certificate from the Windows certificate store to a user, group, or service account so WinHTTP can access it.
  • You need to set proper permissions for private keys used by WinHTTP callers.

Prerequisites

  • Administrative privileges on the Windows machine.
  • The certificate installed in the appropriate Windows certificate store (usually Local Machine\My or Current User\My).
  • The certificate includes a private key and is valid for client authentication (Enhanced Key Usage includes Client Authentication).

Common commands and steps

  1. Locate the certificate’s thumbprint:

    • Open certlm.msc (Local Machine) or certmgr.msc (Current User), find the certificate, view Details → Thumbprint, and copy it (remove spaces).

  2. Grant access to the certificate private key (using modern tools):

    • Use PowerShell with Get-ACL / Set-Acl on the private key file under:
      • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys (for machine keys)
    • Example (run as admin): 
      Code
      \(keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\<filename>" </span>\)acl = Get-Acl \(keyPath \)rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“DOMAIN\ServiceAccount”,“Read”,“Allow”) \(acl.AddAccessRule(\)rule) Set-Acl -Path \(keyPath -AclObject \)acl
    • To find the filename for a certificate thumbprint, use: 
      Code
      \(thumb = "THUMBPRINT_NO_SPACES" </span>\)cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {\(_.Thumbprint -eq \)thumb} $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

  3. (If using legacy winhttpcertcfg) Example usage:

    • Grant access to a service account: 
      Code
      winhttpcertcfg -g -c LOCALMACHINE\MY -s “CertSubjectName” -a “DOMAIN\ServiceAccount”
    • Remove access: 
      Code
      winhttpcertcfg -r -c LOCALMACHINE\MY -s “CertSubjectName” -a “DOMAIN\ServiceAccount”

    Note: winhttpcertcfg is deprecated on newer Windows — prefer PowerShell/Certutil.

  4. Using certutil to export/import or examine:

    • List certs: 
      Code
      certutil -store My
    • Export: 
      Code
      certutil -exportPFX -p password My “THUMBPRINT” output.pfx

  5. Configure WinHTTP proxy/client settings if required:

    • Use netsh winhttp import proxy source=ie or set proxy directly: 
      Code
      netsh winhttp set proxy proxy-server=“http=proxy:8080;https=proxy:8080”

Verification

  • Test the application making HTTPS requests; enable logging or use network capture to confirm TLS handshake and client certificate presentation.
  • Use certutil -verify or PowerShell to confirm private key accessibility by the intended account.

Troubleshooting tips

  • If the app fails with TLS client cert errors, check private key permissions and that the certificate supports client authentication.
  • Ensure the service account has access to the certificate’s private key file (machine vs. user store mismatch is common).
  • On modern Windows, prefer using PowerShell and certutil instead of legacy winhttpcertcfg.

Security considerations

  • Grant the minimum required permissions (specific service account rather than broad groups).
  • Protect exported PFX files with strong passwords and delete after import.

If you want, I can produce exact PowerShell commands tailored to a specific certificate thumbprint and service account (I’ll assume LocalMachine\My unless you specify otherwise).

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts