WinHttp Configuration for Windows Vista Beta 2 - Part 4 Client Certificates

In Part 1, Part 2 and Part 3 of this series I discussed the tools used to configure WinHttp today, introduced the changes happening for Windows Vista and how to set up proxies and tracing. In this post I’m looking at the client certificate settings. Again as a reminder, this is how it is for Windows Vista Beta 2 and can change some before Vista RTM.

First, some background. WinHttp developers are hitting a common problem when trying to use client certificates in middle-tier scenarios. Typically in those cases client certificates are installed in the Local Machine certificate store so that different user accounts can access them. The problem is that by default, only administrators and the account that imported the certificate has access to the certificate’s private key. This prevents the middle-tier code from using the certificate to perform client authentication.

To solve this problem, WinHttp shipped winhttpcertcfg.exe tool, which for Windows Server 2003 was part of Windows Server 2003 Resource Kit Tools. The tool allows administrators to import client certificates and to manage the accounts that have access to the certificate’s private key.

Winhttpcertcfg.exe is being deprecated for Vista. The ability to manage the access to the certificate’s private key (for the certificates in the Local Machine store) is now built into the Certificates Microsoft Management Console (MMC) snap-in.

Here is how to get to the UI:

From the start menu or command line prompt, type mmc.exe, select File | Add/Remove Snap-in…, and add the “Certificates” snap-in for the Local Computer account. You could open certificates snap-in by typing “certmgr.msc” but it will open the Current User store. Note also that you can save the MMC configuration for later use.

To configure the accounts with access to the certificate’s private key, expand the tree view until you see the certificate (say “Certificates (Local Computer)\Personal\Certificates”), right-click on the certificate and select “All Tasks”, “Manage Private Keys…”:

 

This will open a standard permissions dialog from where you can manage the access to the certificate’s private key.

In case you need to import certificates you can use the same Certificates snap-in (right-click on the certificate store and select “All Tasks”, “Import…” or you can use the CertUtil command line tool to do it programmatically (type “certutil -importPFX -?” to see the usage).

We want your feedback!

This post is the last one of the WinHttp Configuration for Vista series.

Please let us know what you think about the new WinHttp configuration story. Please send us your comments or questions, especially if you see yourself being blocked because of a missing functionality.

 --Nesho Neshev
 Software Design Engineer / Test
 Web Transports Team, Windows Networking

Comments

  • Anonymous
    March 21, 2007
    In my previous posts, I described the new WinHttp proxy , tracing and client certificate configuration

  • Anonymous
    June 08, 2008
    There are no manage permission option on a self-signed certificate when I import them in Windows Server 2008. I see the Manage Private Keys for other certificates in the store, but not the one I imported.

  • Anonymous
    July 24, 2009
    The comment has been removed

  • Anonymous
    July 26, 2009
    The comment has been removed

  • Anonymous
    October 02, 2009
    I use to use winhttpcertcfg for windows server 2003, I can only access the certificate if the user that added that did the snap-in and winhttpcertcfg command is logged in.  I also tried using the steps above with the windows server 2008 and get the same results.  What is it that I might be doing wrong?