Microsoft SDK for Java

CertMgr

The CertMgr utility replaces DumpCert. It includes new capabilities for the management of certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). CertMgr performs four functions:

This utility performs one of these actions depending on the action indicated in the command. For the latest documentation on Certmgr, see the CryptoAPI Tools This link takes you to a site on microsoft.com section of the MSDN™ Library.

For more information on application security, see the Platform SDK, Security This link takes you to a site on microsoft.com section of the MSDN™ Library.

CertMgr [-add | -del | -put][options] [-s [–r registryLocation]]
SourceName [-s [–r registryLocation]] DestinationName

The following table indicates the basic actions of the CertMgr utility.

Action Flag Description
None Displays certificates, CRLs, or CTLs.
-add Copies certificates, CTLs, and CRLs to a certificate store.
-del Deletes certificates, CTLs, and CRLs from a certificate store.
-put Saves an X.509 encoded certificate, CTL, or CRL to a file.

With no action flag (to display only), SourceName is the name of the certificate store or file containing the items to display. The store can be a serialized store (StoreFile) or a system store. By default, CertMgr displays all the certificates, CTLs, or CRLs in the certificate store or file. DestinationName is not used for display.

When using -add, SourceStore is the source certificate store that contains the existing certificates, CTLs, and CRLs. DestinationStore is the destination certificate store to which the certificates, CTLs, and CRLs will be added. The destination store will be saved as a serialized store, unless the -7 option is used, which saves the store as a PKCS #7 file. Note that the -7 option cannot be used when the destination store is a system store.

When using -del, SourceStore is the source certificate store that contains the existing certificates, CTLs, and CRLs. DestinationStore is the destination certificate store which will contain copies of the remaining certificates, CTLs, and CRLs after the specified items have been deleted. If DestinationStore is not specified, SourceStore will also serve as the destination store (it will be modified). The destination store will be saved as a serialized store, unless the -7 option is used, which saves the store as a PKCS #7 file. Note that the -7 option cannot be used when the destination store is a system store.

When using -put, SourceStore is the source certificate store that contains the existing certificates, CTLs, and CRLs. DestinationName is the name of a file to which an X.509 encoded certificate, CTL, and CRL will be saved. If the -7 option is used, the file will be saved as a PKCS #7 file. The -s and -r options are not used with -put.

Options

The following options apply to all CertMgr functions except where noted.

Option Action flag Description
-v None (display only) Verbose mode. Displays detailed information about certificates, CTLs, and CRLs. The default is to display brief information.
-c All Use certificates only.
-CTL All Use CTLs only.
-CRL All Use CRLs only.
-all -add, -del, –put only Adds all entries of the chosen type.
-e encoding type All Certificate encoding type.
-y storeProviderType All Store provider type.
-7 -add, -del, -put only Saves the destination store as a PKCS #7 file.
-f dwFlags All Store open flag. This is the dwFlags parameter passed to CertOpenStore. The default value is CERT_SYSTEM_STORE_CURRENT_USER. Meaningful only if -y is set. For more information, see the description of the CertOpenStore function in the MSDN™ Library.
-n commonNameString -add, -dell, -put only Common name of the certificate to add. Can be used only with certificates.
-sha1 sha1Hash -add, -del, -put only SHA1 hash of the certificate, CTL, or CRL to be copied, deleted, or saved.
-s All Indicates that the store is a system store.
-r registryLocation All Registry location of the system certificate store. Meaningful only when -s is set. Must be set to either currentUser (registry key HKEY_CURRENT_USER) or localMachine (registry key HKEY_LOCAL_MACHINE). currentUser is the default.
-? All Displays all the options.

Remarks

CertMgr is only supported in Microsoft® Internet Explorer 4.0 or later.

CertMgr can copy, delete, or save one or more certificates, CTLs, or CRLs. If there is more than one item in one of these categories, the user has three options:

The actions of CertMgr use slight variations of the syntax and options. The syntax and options specific to an action must be used.

CertMgr works with two kinds of certificate stores: StoreFile and system store. A StoreFile can be one of the following kinds of files:

It is not necessary to specify the type of the StoreFile. CertMgr can determine the StoreFile type and take the appropriate actions.

A system store is a certificate store normally located in the registry under currentUser. The user can refer to a system store by providing just its name. It is not necessary to specify the certificate store provider type. Depending on the type of StoreFile or system store, CertMgr chooses the corresponding store provider type.

Using CertMgr

CertMgr can be used to view certificates, CRLs, and CTLs from a file or a certificate store, to copy certificates into a certificate store, to delete certificates from a certificate store, and to save certificates to files.

The file must be one of the following types:

The following examples use CertMgr commands to perform common certificate tasks.

© 1999 Microsoft Corporation. All rights reserved. Terms of use.