The CertMgr utility replaces DumpCert. It includes new capabilities for the management of certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). CertMgr performs four functions:
This utility performs one of these actions depending on the action indicated in the command. For the latest documentation on Certmgr, see the CryptoAPI Tools section of the MSDN Library.
For more information on application security, see the Platform SDK, Security section of the MSDN Library.
CertMgr [-add | -del | -put][options] [-s [–r registryLocation]] SourceName [-s [–r registryLocation]] DestinationName
The following table indicates the basic actions of the CertMgr utility.
Action Flag | Description |
None | Displays certificates, CRLs, or CTLs. |
-add | Copies certificates, CTLs, and CRLs to a certificate store. |
-del | Deletes certificates, CTLs, and CRLs from a certificate store. |
-put | Saves an X.509 encoded certificate, CTL, or CRL to a file. |
With no action flag (to display only), SourceName is the name of the certificate store or file containing the items to display. The store can be a serialized store (StoreFile) or a system store. By default, CertMgr displays all the certificates, CTLs, or CRLs in the certificate store or file. DestinationName is not used for display.
When using -add, SourceStore is the source certificate store that contains the existing certificates, CTLs, and CRLs. DestinationStore is the destination certificate store to which the certificates, CTLs, and CRLs will be added. The destination store will be saved as a serialized store, unless the -7 option is used, which saves the store as a PKCS #7 file. Note that the -7 option cannot be used when the destination store is a system store.
When using -del, SourceStore is the source certificate store that contains the existing certificates, CTLs, and CRLs. DestinationStore is the destination certificate store which will contain copies of the remaining certificates, CTLs, and CRLs after the specified items have been deleted. If DestinationStore is not specified, SourceStore will also serve as the destination store (it will be modified). The destination store will be saved as a serialized store, unless the -7 option is used, which saves the store as a PKCS #7 file. Note that the -7 option cannot be used when the destination store is a system store.
When using -put, SourceStore is the source certificate store that contains the existing certificates, CTLs, and CRLs. DestinationName is the name of a file to which an X.509 encoded certificate, CTL, and CRL will be saved. If the -7 option is used, the file will be saved as a PKCS #7 file. The -s and -r options are not used with -put.
The following options apply to all CertMgr functions except where noted.
Option | Action flag | Description |
-v | None (display only) | Verbose mode. Displays detailed information about certificates, CTLs, and CRLs. The default is to display brief information. |
-c | All | Use certificates only. |
-CTL | All | Use CTLs only. |
-CRL | All | Use CRLs only. |
-all | -add, -del, –put only | Adds all entries of the chosen type. |
-e encoding type | All | Certificate encoding type. |
-y storeProviderType | All | Store provider type. |
-7 | -add, -del, -put only | Saves the destination store as a PKCS #7 file. |
-f dwFlags | All | Store open flag. This is the dwFlags parameter passed to CertOpenStore. The default value is CERT_SYSTEM_STORE_CURRENT_USER. Meaningful only if -y is set. For more information, see the description of the CertOpenStore function in the MSDN Library. |
-n commonNameString | -add, -dell, -put only | Common name of the certificate to add. Can be used only with certificates. |
-sha1 sha1Hash | -add, -del, -put only | SHA1 hash of the certificate, CTL, or CRL to be copied, deleted, or saved. |
-s | All | Indicates that the store is a system store. |
-r registryLocation | All | Registry location of the system certificate store. Meaningful only when -s is set. Must be set to either currentUser (registry key HKEY_CURRENT_USER) or localMachine (registry key HKEY_LOCAL_MACHINE). currentUser is the default. |
-? | All | Displays all the options. |
CertMgr is only supported in Microsoft® Internet Explorer 4.0 or later.
CertMgr can copy, delete, or save one or more certificates, CTLs, or CRLs. If there is more than one item in one of these categories, the user has three options:
The actions of CertMgr use slight variations of the syntax and options. The syntax and options specific to an action must be used.
CertMgr works with two kinds of certificate stores: StoreFile and system store. A StoreFile can be one of the following kinds of files:
It is not necessary to specify the type of the StoreFile. CertMgr can determine the StoreFile type and take the appropriate actions.
A system store is a certificate store normally located in the registry under currentUser. The user can refer to a system store by providing just its name. It is not necessary to specify the certificate store provider type. Depending on the type of StoreFile or system store, CertMgr chooses the corresponding store provider type.
CertMgr can be used to view certificates, CRLs, and CTLs from a file or a certificate store, to copy certificates into a certificate store, to delete certificates from a certificate store, and to save certificates to files.
The file must be one of the following types:
The following examples use CertMgr commands to perform common certificate tasks.
CertMgr myFile.ext
CertMgr -s my
CertMgr -add –all –c myFile.ext newFile.ext
CertMgr -add -all –c –s my newMy.ext
CertMgr -add –c –n myCert –s my newCert.cer
CertMgr -del –all –c –s MY
CertMgr -del –all –ctl –s my newStore.str
//Make a self-signed test certificate called sign.cer. MakeCert -sv sign.pvk -r -n "CN=THIS IS A TEST OF MAKECTL" sign.cer // Make a test SPC file using Cert2SPC. Cert2SPC sign.cer sign.spc // Make another self-signed test certificate called test.cer. MakeCert -sv test.pvk -r -n "CN=THIS IS MY TEST CERT" test.cer // Make an SPC file using Cert2SPC. Cert2SPC test.cer test.spc // Make a test.stl from test.cer. MakeCTL test.cer test.stl // Sign test.stl with the sign.pvk and sign.spc made in step 1. SignCode -v sign.pvk -spc sign.spc test.stl // Move test.stl to the trust system store. CertMgr –add –ctl test.stl -s trust // Move sign.cer to the root system store. CertMgr -add –c sign.cer -s root // Sign something (test.exe) with test.pvk, and test.spc. SignCode -v test.pvk -spc test.spc test.exe // Since test.cer is in the test.stl, ChkTrust will succeed. ChkTrust test.exe
certmgr -put -c -n myCert -s root newCert.cer