I found out that I can do everything with certutil and winhttpcertcfg like this:
1) add .p12 to Personal key store
certutil -p P@ssword -importpfx cert.p12
2) add .cer certificate as trusted publisher
certutil -addstore TrustedPublisher cert.cer
3) check which users have access to certificate
winhttpcertcfg -c LOCAL_MACHINE\My -s certificate.name -l
3) grant access to certificate
winhttpcertcfg -c LOCAL_MACHINE\My -s certificate.name -g -a user@domain.com