The following are what I have learned: Both CertMgr.exe and WinHttpCertCfg.exe programs behave a bit weird at times. And their online documentation is not so helpful. The CertMgr.exe program works properly for installing the Root CA Certificate although it does not tell you when the action (installation) actually fails. For example, the following is a bogus command, yet it reports “Succeeded” C:\clientcert>certmgr -add -c -s bogus -r currentUser Root CertMgr Succeeded The WinHttpCertCfg.exe program: It seems to have been created for allowing Web apps (e.g., ASP.NET on a Windows Server) to call Web Services using the “Network Service” account which requires access to the client certificate (private key) in the LOCAL_MACHINE. It allows any user to install client certificate into the CURRENT_USER\Personal registry of his/her own account. It does not allow an admin to install the client certificate into the CURRENT_USER\Personal registry of another user. However, it does allow an admin to install it into the LOCAL_MACHINE\Personal or CURRENT_USER\Personal registry and then allow him/her to grant access to the private key for another user. However, Internet Explore instance (run by another user) does NOT have access to the CURRENT_USER\Personal registry. #3.c is what I want to ask Microsoft. If there’s some other solution to this particular problem we try to solve, that would be great. I’m also wondering if we could prepare and provide some scripts/procedure like the following to the customers. If we could, then we may not need the GUI program at all. An admin installs the two programs on a network drive (or local drive) and then writes a logon script or GPO that use the programs. The downside to this might be that the password to the client certificate would need to be hard-coded or prompted to the end user (which doesn’t sound like a good idea). As part of a user’s logon process, the CURRENT_USER\Personal registry is checked by the script and runs the WinHttpCertCfg.exe program if the cert has not been installed yet. If it has already, then skip the step.

Hi, I'm trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Best Regards, NikiPlease remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Glad to see you. current_user registry means currently logon user. According to your requirement, you want admin to install the certificate into current_user/Personal of another user. but current_user /personal is for admin. so i want to confirm that if you want admin to install certificate for another user on the computer. If so, i think your main corcerns is that you just want to automatically request and install an certificate for users. so we could use autoenrollment to achieve our goals: More informaition: http://technet.microsoft.com/en-us/library/cc787781(WS.10).aspx http://technet.microsoft.com/en-us/library/cc731522.aspxPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Glad to see you. current_user registry means currently logon user. According to your requirement, you want admin to install the certificate into current_user/Personal of another user. but current_user /personal is for admin. so i want to confirm that if you want admin to install certificate for another user on the computer. If so, i think your main corcerns is that you just want to automatically request and install an certificate for users. so we could use autoenrollment to achieve our goals: More informaition: http://technet.microsoft.com/en-us/library/cc787781(WS.10).aspx http://technet.microsoft.com/en-us/library/cc731522.aspxPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, As this thread has been quiet for a while, I assume the issue has been resolved. At this time, we will mark it as "Answered" as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, we'd love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards, NikiPlease remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.