3 out of 14 rated this helpful - Rate this topic

Certificate Manager Tool (Certmgr.exe)

.NET Framework 3.5

Updated: May 2010

The Certificate Manager tool manages certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs).

Note:
The Certificate Manager tool (Certmgr.exe) is a command-line utility, whereas Certificates (Certmgr.msc) is a Microsoft Management Console (MMC) snap-in. Because Certmgr.msc is usually found in the Windows System directory, entering certmgr at the command line may load the Certificates MMC snap-in even if you have opened the Visual Studio Command Prompt. This occurs because the path to the snap-in precedes the path to the Certificate Manager tool in the PATH environment variable. If you encounter this problem, you can execute Certmgr.exe commands by specifying the path to the executable.

Note:

The Certificate Manager tool (Certmgr.exe) is a command-line utility, whereas Certificates (Certmgr.msc) is a Microsoft Management Console (MMC) snap-in. Because Certmgr.msc is usually found in the Windows System directory, entering certmgr at the command line may load the Certificates MMC snap-in even if you have opened the Visual Studio Command Prompt. This occurs because the path to the snap-in precedes the path to the Certificate Manager tool in the PATH environment variable. If you encounter this problem, you can execute Certmgr.exe commands by specifying the path to the executable.

Copy

certmgr [/add | /del | /put] [options]
[/s[/r registryLocation]] [sourceStorename]
[/s[/r registryLocation]] [destinationStorename]

Parameters

Argument	Description
sourceStorename	The input certificate store as the type StoreFile, or the type system store.
destinationStorename	The output certificate store or file.

Option	Description
/add	Adds certificates, CTLs, and CRLs to a certificate store.
/all	Adds all entries when used with /add. Deletes all entries when used with /del. Displays all entries when used without the /add or /delete options. The /all option cannot be used with /put.
/c	Adds certificates when used with /add. Deletes certificates when used with /del. Saves certificates when used with /put. Displays certificates when used without the /add, /delete, or /put options.
/CRL	Adds or deletes CRLs. Displays CRLs when used without the /add, /delete, or /put options.
/CTL	Adds or deletes CTLs. Displays CTLs when used without the /add, /delete, or /put options.
/delete	Deletes certificates, CTLs, and CRLs from a specified certificate store.
/e encodingType	Specifies the certificate encoding type.
/f dwFlags	Specifies the store open flag. This is the dwFlags parameter passed to CertOpenStore. The default value is CERT_SYSTEM_STORE_CURRENT_USER. This option is considered only if the /y option is used.
/h[elp]	Displays command syntax and options for the tool.
/n commonName String	Specifies the common name of the certificate to add, delete, or save. This option can only be used with certificates; it cannot be used with CTLs or CRLs.
/put	Saves an X.509 certificate, CTL, or CRL from a certificate store to a file. The file will be saved in X.509 format. The /7 option can be used with the /put option to save the file in PKCS #7 format. The /put option must be followed by either /c, /CTL, or /CRL. The /all option cannot be used with /put.
/r registry location	Identifies the registry location of the system store. This option is considered only if you specify the /s option. Registry location must be one of the following: currentUser indicates that the certificate store is under the HKEY_CURRENT_USER key. This is the default localMachine indicates that the certificate store is under the HKEY_LOCAL_MACHINE key.
/s	Indicates that the certificate store is a system store. If you do not specify this option, the store is a StoreFile.
/sha1 sha1Hash	Specifies the SHA1 hash of the certificate, CTL, or CRL to add, delete, or save.
/v	Specifies verbose mode; displays detailed information about certificates, CTLs, and CRLs. This option cannot be used with the /add, /delete, or /put options.
/y storeProviderType	Specifies the store provider type.
/7	Saves the destination store as a PKCS#7 object.
/?	Displays command syntax and options for the tool.

Remarks

Certmgr.exe performs the following basic functions:

Displays certificates, CTLs, and CRLs to the console.
Adds certificates, CTLs, and CRLs to a certificate store.
Deletes certificates, CTLs, and CRLs from a certificate store.
Saves an X.509 certificate, CTL, or CRL from a certificate store to a file.

Certmgr.exe works with two types of certificate stores: StoreFile and system store. It is not necessary to specify the type of certificate store; Certmgr.exe can identify the store type and perform the appropriate operations.

Running Certmgr.exe without specifying any options launches the certmgr.msc snap-in, which has a GUI that helps with the certificate management tasks that are also available from the command line. The GUI provides an import wizard, which copies certificates, CTLs, and CRLs from your disk to a certificate store.

For more information about certificates, see the About CryptoAPI section of the Microsoft Platform SDK documentation.

Examples

The following command displays a default system store called my with verbose output.

Copy

certmgr /v /s my

The following command adds all the certificates in a file called myFile.ext to a new file called newFile.ext.

Copy

certmgr /add /all /c myFile.ext newFile.ext

The following command moves a certificate with the common name myCert in the my system store to a file called newCert.cer.

Copy

certmgr /add /c /n myCert /s my newCert.cer

The following command deletes all CTLs in the my system store and saves the resulting store to a file called newStore.str.

Copy

certmgr /del /all /ctl /s my newStore.str

The following command puts a certificate in the my system storein the file newFile. You will be prompted to enter the certificate number from my to put in newFile.

Copy

certmgr /put /c /s my newFile

Reference

.NET Framework Tools

Certificate Creation Tool (Makecert.exe)

SDK Command Prompt

Change History

Date	History	Reason
May 2010	Differentiated MMC snap-in from command-line utility.	Customer feedback.

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)

Community Content Add

FAQ

re: Confusing

It's a bit confusing and does leave it open to interpretation if you don't already know something about certificate storage.

My interpretation is you can either deal with an explicit file, where that file is a type of container for certificates, or deal indirectly with the a container handled by the system, which is still ultimately either a file or the registry, but it is entirely handled by the system and we do not need to know or care about the location of it nor anything else about how to deal with it.

The information is written in a way that assumes the reader already knows something about certificate storage and is simply looking for a way to deal with storage without having to write code to do it themselves. This is logical since most people would likely arrive at this page -after- knowing something about certificates and are looking for a ready-made module created to deal with it.

It would probably be good to have links to information describing what a container (StoreFile / system store) actually are for those that do not already know.

History

6/11/2009
Michael L. Long

confusing

One of the most confusing explanation pages i've ever seen, and that's saying a lot on MSDN. For example:

The input certificate store as the type StoreFile, or the type system store.

does that look like reasonable human English grammar to anyone?

History

1/13/2009
anonymoose123

5/1/2009
Thomas Lee