It is a part of Windows Resource Kit Tools.
Go to link to download Windows Resource Kit Tools.
Following is the parameter list for configuration tool:
| Parameter | Description |
|---|---|
| -? | Displays syntax data. |
| -i | Specifies that the certificate is to be imported from a Personal Information Exchange (PFX) file. This parameter must be followed by the name of the file. When this parameter is specified, "-a" and "-c" must also be specified. |
| -g | Specifies that access is granted to a private key. When this parameter is specified, "-a", "-c", and "-s" must also be specified. |
| -r | Specifies that access is removed for a private key. When this parameter is specified, "-a", "-c", and "-s" must also be specified. |
| -l | Specifies that accounts with access to a private key are listed. When this parameter is specified, "-c" and "-s" must also be specified. |
| -a | Specifies the user account on the machine being configured. This could be a local machine or domain account, such as "IWAM_TESTMACHINE", "TESTUSER", or "TESTDOMAIN\DOMAINUSER". |
| -c | Specifies the location and name of the certificate store. Use "LOCAL_MACHINE" or "CURRENT_USER" to designate which registry branch to use for the location. The certificate store can be any installed on the machine. Typical name examples are "MY", "Root", and "TrustedPeople". The location and name of the certificate store are separated with a backward slash, for example, "LOCAL_MACHINE\Root". Note Although the "CURRENT_USER" branch of the registry can be specified with this parameter, extending access to private keys is primarily intended for certificates installed in a local computer certificate store that can be accessed by multiple users. |
| -s | Specifies a case-insensitive search string for finding the first enumerated certificate with a subject name that contains this substring. |
| -p | Specifies a password that is used to import the certificate and the private key. This is only used with the import option. |
Examples:
* To access accounts which have access to the private key to a specific certificate e.g. TestCert listed under local machine root cert store run command:
winhttpcertcfg -l -c LOCAL_MACHINE\MY -s TestCert
or
winhttpcertcfg -s TestCert -l -c CURRENT_USER\MY
(In case the cert is in Current user Personal store)
or
winhttpcertcfg -s TestCert -l -c CURRENT_USER\ROOT
(In case the cert is in Current user Root store)
* Similarly to grant a specific user account e.g. MyTestUser the access to private key of a certificate e.g. TestCert in MyTestUser certificate store run command:
winhttpcertcfg -g -c LOCAL_MACHINE\MyTestUser -s TestCert -a MyTestUser
or
winhttpcertcfg -g -c CURRENT_USER\MY -s TESTCERT -a World-Bank\Champion
(Here the testcert is located in current user personal cert store and we granted access to user account champion under domain World-Bank)
* To revoke access to user account on a certificate private key use the following command:
winhttpcertcfg -r -c CURRENT_USER\MY -s TESTCERT -a World-Bank\Champion
(Here the testcert is located in current user personal cert store and we revoked access to user account champion under domain World-Bank)
Reference: Certificate Configuration
Posts
No comments:
Post a Comment