Using WinHttpCertCfg

Recently for work I had to setup a server to access a secure API using a client certificate to grant access. This lead me to having to use WinHttpCertCfg.exe found here: This tool works pretty good here is the basics on using it.


To Grant Read permission to the IIS worker process, for the Personal certificate named “Example Cert” stored in the Local Machine store:

In CMD run the following command:

winhttpcertcfg -g -c “LOCAL_MACHINE\My” -s “Example Cert” -a “Account Your IIS proccess is running as”

Microsoft (R) WinHTTP Certificate Configuration Tool

Copyright (C) Microsoft Corporation 2001.

Matching certificate:

CN=Example Cert

O=Some Object


Granting private key access for account:



N0w this works great and all but when this tools looks for the CN it does a match so if there are any other CN’s that are named similar it will grab the first one it sees regardless so you will need to search for something more unique other than the CN maybe the issuer or the email on the cert. I learned this because we had two other certificates that had the same first three letters in the CN.

Just figured I would pass the info on for anyone having issues maybe it could save them some hair trying to figure out why it won’t show the cert you are looking for.



Leave Comment

Your email address will not be published. Required fields are marked *