If you need a command-line tool that enables administrators or developers implementing some automatic deployment tool to import certificates and their private keys for use on client computers this comes in handy for the job.What it makes an intersecting choice for your deployment toolkit is the fact that this rather obscure gem, let you install any PFX certificate (Read: Private key included) and assign the required ACL permissions to your private key process account, that typically would be the ASPNET account for Windows XP (and older systems) and the Network Service account for W2K2 or better and the better part is that it is full scriptable with just specifying the right parameters.Let’s see a quick example of the WinHttpCertCfg.exe in action. The following command imports a certificate and private key from a PFX file and extends private key access to the Network Service account. 

winhttpcertcfg -g -i "MyPfxcertificate.pfx" -c LOCAL_MACHINE\My -a “Network Service” -p pfxpassword 

You may find more examples from: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/winhttpcertcfg_examples.asp
and download the WinHttpCertCfg tool here:
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en

The only drawback that has this tool is that is intended for PFX certificate file format only and if you need to install a certificate public key only like a .p7b or .crt standard formats, you will need another tool like the Certificate Manager tool (CertMgr.exe)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfcertificatemanagertoolcertmgrexe.asp

that comes with the Microsoft .NET Framework SDK tools
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpconNETFrameworkTools.asp

and its usage is very simple as well.This example installs the MyCA root certificate to the Local Machine “Trusted Root Certification Authorities” store (Root). 

certmgr -add -all -c "MyCA.p7b" -s -r localMachine Root 

As you see, both tools comes in handy whenever you need to build a deployment script or just assign the required permissions the a certificate private key file without the hassle of complicated APIs or obscure directory paths like “[Documents and Settings]\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys”

Here more examples from my work

following when implementing a cert renewal of CompanyName Class 1 cert on windows 2003 servers. 

1. Import cert into Local Computer cert store.
2. Ensure Root cert and Intermediate cert are moved to their respective stores.
3. Run command prompt link in D:\Windows Resource Kits\Tools
4. Use winhttpcertcfg command to list settings:

D:\Windows Resource Kits\Tools>winhttpcertcfg -l -c LOCAL_MACHINE\My -s wtw
Microsoft (R) WinHTTP Certificate Configuration Tool
Copyright (C) Microsoft Corporation 2001.

Matching certificate:
E=website@mycompany.com
CN=mycompany
OU=Digital ID Class 1 - Microsoft Full Service
OU=Persona Not Validated
OU="www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98"
OU=VeriSign Trust Network
O="VeriSign, Inc."

Additional accounts and groups with access to the private key include:
    Server1\Admin1
    NT AUTHORITY\SYSTEM

5. Now use command to modify access permissions for the private key:

D:\Windows Resource Kits\Tools>winhttpcertcfg -g -c LOCAL_MACHINE\My -s wtw -a IPFS_Server1
 Microsoft (R) WinHTTP Certificate Configuration Tool
 Copyright (C) Microsoft Corporation 2001.

 Matching certificate:
 E=website@mycompany.com
 CN=mycompany
 OU=Digital ID Class 1 - Microsoft Full Service
 OU=Persona Not Validated
 OU="www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98"
 OU=VeriSign Trust Network
 O="VeriSign, Inc."

 Granting private key access for account:
        Server1\IPFS_Server1

It is imperative this is done or else the application will not work.