Certificate Manager Tool (Certmgr.exe)

MSDN Home

MSDN
MSDN Library
.NET Development
.NET Framework 3.5
Tools (.NET Framework)
.NET Framework Tools

.NET Framework Tools

SDK Command Prompt
Assembly Linker (Al.exe)
ASP.NET Compilation Tool (Aspn ...
ASP.NET Merge Tool (Aspnet_mer ...
ASP.NET Browser Registration T ...
ASP.NET IIS Registration Tool ...
ASP.NET SQL Server Registratio ...
Windows Forms ActiveX Control ...
Code Access Security Policy To ...
Code Generation Tool (SqlMetal ...
Software Publisher Certificate ...
Certificate Manager Tool (Cert ...
Certificate Verification Tool ...
Runtime Debugger (Cordbg.exe)
CorFlags Conversion Tool (CorF ...
Assembly Binding Log Viewer (F ...
Global Assembly Cache Tool (Ga ...
MSIL Assembler (Ilasm.exe)
MSIL Disassembler (Ildasm.exe)
Installer Tool (Installutil.ex ...
License Compiler (Lc.exe)
Manifest Generation and Editin ...
Manifest Generation and Editin ...
Certificate Creation Tool (Mak ...
.NET Framework Command-Line De ...
Management Strongly Typed Clas ...
Policy Migration Tool (Migpol. ...
.NET Framework Configuration T ...
Native Image Generator (Ngen.e ...
Permission Calculator Tool (Pe ...
Permissions View Tool (Permvie ...
PEVerify Tool (Peverify.exe)
Assembly Registration Tool (Re ...
.NET Services Installation Too ...
Resource File Generator (Resge ...
Secutil Tool (Secutil.exe)
Set Registry Tool (Setreg.exe)
Assembly Cache Viewer (Shfusio ...
File Signing Tool (Signcode.ex ...
Sign Tool (SignTool.exe)
Strong Name Tool (Sn.exe)
SOS Debugging Extension (SOS.d ...
Isolated Storage Tool (Storead ...
Type Library Exporter (Tlbexp. ...
Type Library Importer (Tlbimp. ...
Windows Forms Class Viewer (Wi ...
Windows Forms Resource Editor ...

Switch View :

Classic

Lightweight Beta

ScriptFree

Feedback

.NET Framework Tools

Certificate Manager Tool (Certmgr.exe)

The Certificate Manager tool manages certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs).

certmgr [/add | /del | /put] [options]
[/s[/r registryLocation]] [sourceStorename]
[/s[/r registryLocation]] [destinationStorename]

Parameters

Argument	Description
sourceStorename	The input certificate store as the type StoreFile, or the type system store.
destinationStorename	The output certificate store or file.

Option	Description
/add	Adds certificates, CTLs, and CRLs to a certificate store.
/all	Adds all entries when used with /add. Deletes all entries when used with /del. Displays all entries when used without the /add or /delete options. The /all option cannot be used with /put.
/c	Adds certificates when used with /add. Deletes certificates when used with /del. Saves certificates when used with /put. Displays certificates when used without the /add, /delete, or /put options.
/CRL	Adds or deletes CRLs. Displays CRLs when used without the /add, /delete, or /put options.
/CTL	Adds or deletes CTLs. Displays CTLs when used without the /add, /delete, or /put options.
/delete	Deletes certificates, CTLs, and CRLs from a specified certificate store.
/e encodingType	Specifies the certificate encoding type.
/f dwFlags	Specifies the store open flag. This is the dwFlags parameter passed to CertOpenStore. The default value is CERT_SYSTEM_STORE_CURRENT_USER. This option is considered only if the /y option is used.
/h[elp]	Displays command syntax and options for the tool.
/n commonName String	Specifies the common name of the certificate to add, delete, or save. This option can only be used with certificates; it cannot be used with CTLs or CRLs.
/put	Saves an X.509 certificate, CTL, or CRL from a certificate store to a file. The file will be saved in X.509 format. The /7 option can be used with the /put option to save the file in PKCS #7 format. The /put option must be followed by either /c, /CTL, or /CRL. The /all option cannot be used with /put.
/r registry location	Identifies the registry location of the system store. This option is considered only if you specify the /s option. Registry location must be one of the following: currentUser indicates that the certificate store is under the HKEY_CURRENT_USER key. This is the default localMachine indicates that the certificate store is under the HKEY_LOCAL_MACHINE key.
/s	Indicates that the certificate store is a system store. If you do not specify this option, the store is a StoreFile.
/sha1 sha1Hash	Specifies the SHA1 hash of the certificate, CTL, or CRL to add, delete, or save.
/v	Specifies verbose mode; displays detailed information about certificates, CTLs, and CRLs. This option cannot be used with the /add, /delete, or /put options.
/y storeProviderType	Specifies the store provider type.
/7	Saves the destination store as a PKCS#7 object.
/?	Displays command syntax and options for the tool.

Remarks

Certmgr.exe performs the following basic functions:

Displays certificates, CTLs, and CRLs to the console.
Adds certificates, CTLs, and CRLs to a certificate store.
Deletes certificates, CTLs, and CRLs from a certificate store.
Saves an X.509 certificate, CTL, or CRL from a certificate store to a file.

Certmgr.exe works with two types of certificate stores: StoreFile and system store. It is not necessary to specify the type of certificate store; Certmgr.exe can identify the store type and perform the appropriate operations.

Running Certmgr.exe without specifying any options launches a GUI that helps with the certificate management tasks that are also available from the command line. The GUI provides an import wizard, which copies certificates, CTLs, and CRLs from your disk to a certificate store.

For more information about certificates, see the About CryptoAPI section of the Microsoft Platform SDK documentation.

Examples

The following command displays a default system store called my with verbose output.

certmgr /v /s my

The following command adds all the certificates in a file called myFile.ext to a new file called newFile.ext.

certmgr /add /all /c myFile.ext newFile.ext

The following command moves a certificate with the common name myCert in the my system store to a file called newCert.cer.

certmgr /add /c /n myCert /s my newCert.cer

The following command deletes all CTLs in the my system store and saves the resulting store to a file called newStore.str.

certmgr /del /all /ctl /s my newStore.str

The following command puts a certificate in the my system storein the file newFile. You will be prompted to enter the certificate number from my to put in newFile.

certmgr /put /c /s my newFile

Reference

.NET Framework Tools

Certificate Creation Tool (Makecert.exe)

SDK Command Prompt

Tags :

Community Content

Thomas Lee

confusing

One of the most confusing explanation pages i've ever seen, and that's saying a lot on MSDN. For example:

The input certificate store as the type StoreFile, or the type system store.

does that look like reasonable human English grammar to anyone?

Tags : contentbug

Michael L. Long

re: Confusing

It's a bit confusing and does leave it open to interpretation if you don't already know something about certificate storage.

My interpretation is you can either deal with an explicit file, where that file is a type of container for certificates, or deal indirectly with the a container handled by the system, which is still ultimately either a file or the registry, but it is entirely handled by the system and we do not need to know or care about the location of it nor anything else about how to deal with it.

The information is written in a way that assumes the reader already knows something about certificate storage and is simply looking for a way to deal with storage without having to write code to do it themselves. This is logical since most people would likely arrive at this page -after- knowing something about certificates and are looking for a ready-made module created to deal with it.

It would probably be good to have links to information describing what a container (StoreFile / system store) actually are for those that do not already know.

Tags :

ErikSternerson

Not working...

Based on a couple blogs, i've been trying to install all the certs in a p7b file. The file contains like 20 certs, so i thought this would be my saving grace. I saved the p7b file to my desktop. I use Vista Home PieceofJunk 64.

However, in a UAC-less environment, running the following command from the command prompt:

C:\Users\Administrator\Desktop>certmgr /add /all /c rel3_dodroot_2048.p7b /s /r localMachine Root

the only thing that happens is the GUI pops up. I don't get any helpful errors, and i KNOW that this doesnt fall under the category of "Running Certmgr.exe without specifying any options launches a GUI that helps with the certificate management ....", so i find myself writing this in extreme anger and frustration.

Why does nothing work as advertised with this company?

MANY EXPLETIVES WERE DELETED IN THE WRITING OF THIS POST.

[Erik - 28-09-09] Just ran into the same issue. The thing is there are two DIFFERENT programs called certmgr. The first, is an MCC snap-in which is part of Windows. The second, described in this article, is part of the Windows SDK. Confusing? Oh my yes.

[tfl - 01 07 09] Hi - and thanks for your post. You should post questions like this to the MSDN Forums at http://forums.microsoft.com/msdn or the MSDN Newsgroups at

http://www.microsoft.com/communities/newsgroups/en-us/ . You are much more likely get a quicker response using the forums than through the Community Content. For specific help about:
Visual Studio : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.vstudio%2C &
SQL Server : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.sqlserver%2C &
.NET Framework : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.dotnet.framework
All Public : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public%2C &

Tags : contentbug