Certmgr (the Certificate Manager utility) manages certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). It performs the following basic functions:
Certmgr works with two kinds of certificate stores: StoreFile and system store. It is not necessary to specify the type of store file; certmgr can identify the StoreFile type and perform the appropriate operations. Running this utility without any options launches a wizard that helps with certificate management.
certmgr [/add | /del | /put] [arguments] [/s[/r RegistryLocation]] Storename
Argument | Description |
---|---|
/add | Adds certificates from one certificate store to another. |
/delete | Deletes certificates. |
/put | Saves an X.509-encoded certificate, CTL, or CRL to a file. |
/c | Adds certificates when used with /add; deletes certificates when used with /del. Displays certificates when used without the /add or the /delete option. |
/all | Adds all the entries if used with /add; deletes all the entries if used with /del. |
/7 | Saves the destination store as a PKCS#7 object. |
/n commonName String | Specifies the common name of the certificate to add or delete. This option can only be used with certificates; it cannot be used with CTLs or CRLs. |
/sha1 sha1Hash | The SHA1 hash of the certificate, CTL, or CRL to add or delete. |
/CTL | Adds or deletes certificate trust lists (CTLs). Displays certificate trust lists when used without the /add or the /delete option. |
/CRL | Adds or deletes certificate revocation lists (CRLs). Displays certificate revocation lists when used without the /add or the /delete option. |
/s | Indicates the store is a system store. If this option is not specified, the store is a StoreFile. |
/r
RegistryLocation |
Identifies the registry location of the system certificate store. This option is considered only if the /s option is specified. Registry location must be either currentUser (indicating that the certificate store is under the HKEY_CURRENT_USER key [the default]) or localMachine (indicating that the store is under HKEY_LOCAL_MACHINE). |
/? | Displays Help for the utility. |
/v | Verbose mode. Displays detailed information about certificates (CTLs and CRLs). This option cannot be used with the /add or the /delete options. |
/y storeProviderType | Specifies the store provider type. |
/f dwFlags | Specifies the store open flag. This is the dwFlags parameter passed to CertOpenStore. The default value is CERT_SYSTEM_STORE_CURRENT_USER. This option is considered only if the /y option is used. |
/e encodingType | Specifies the certificate encoding type. |
The following examples show some of the certmgr utility's functions. Each sample command line is followed by a description.
Use the following example to view a system store called my.
certmgr /s my
Use the following example to add all the certificates in a file called myfile.ext to a new file called newFile.ext.
certmgr /add /all /c myFile.ext newFile.ext
Use the following example to move a certificate with a common name myCert in my system store to a file called newCert.cer.
certmgr /add /c /n myCert /s my newCert.cer
Use the following example to delete all the CTLs in my system store and save the resulting store to a file called newStore.str.
certmgr /del /all /ctl /s my newStore.str