Following on from my travails with HttpListeners not working as a non-admin user, it turned out that the Cardspace samples (download them here if you’re interested) had one more sticking point up their sleeve before everything worked. The main example demonstrates how a simple Security Token Service is used to verify the managed card a user wants to send to a site. However, the service is accessible only through the HTTPS protocol on port 7001 and Cardspace was unable to access it. A little digging revealed that the setup scripts for the sample tried and failed to build a copy of httpcfg, a utility found on Windows Server 2003. I didn't have the necessary files to build httpcfg successfully, bit it turns out that the netsh utility that comes with Vista and helped me out previously could also help me out here to.

The command required to add the certificate to a port with netsh is

netsh http add sslcert ipport= certhash=thumbprint appid=arbitrary_guid

And the corresponding one to remove it is

netsh http delete sslcert ipport=


The add command needs two pieces of information besides the port number.

  • appid is an arbitrary guid to represent the application accessing the port.
  • certhash requires the certificate’s thumbprint to identify it to netsh

If you’ve never needed to find a certificate’s thumbprint before, hit Win+R and run certmgr.msc from the prompt to open the Vista Certificates MMC Viewer. (If the certificate is stored in the Local Machine certificate store rather than your own accounts store, you’ll need to run certmgr.msc as an admin). The certificate should be stored in Personal\Certificates. When you find it, double-click it and select the Details tab. If you scroll the view down, you’ll see Thumbprint towards the bottom of the dialog.


You’ll need to copy all 20 pairs of hex digits and remove all the spaces. Given the example above then, you can add the certificate shown to port 7001 using this command.

netsh http add sslcert ipport= certhash=d47de657fa4902555902cb7f0edd2ba9b05debb8 appid={C61EC2E2-BC18-4522-903B-F44A56299787}

And then you can check that all’s well with this command

netsh http show sslcert

This will show you all the certificates bound to a port on your machine. netsh - the network admin’s swiss army knife