Home » Computers » Security » CertMgr.exe Tool

CertMgr.exe Tool

The Microsoft CertMgr.exe tool is included in few SDKs like the Windows SDK, Drivers SDK, and with Visual Studios.  As of this writing it is a standalone executable and can simply be copied to other computers with requiring installation or other support files.

C:\temp>CertMgr.Exe -?
Usage: CertMgr [options][-s [-r <location>][SourceStoreName]
[-s [-r <location>][DestinationStoreName]
Options:
-add               Add certificates/CRLs/CTLs to a storeFile or a system store
-del               Delete certificates/CRLs/CTLs from a storeFile or
a system store
-put               Put an encoded certificate/CRL/CTL from a storeFile or
a system store to a file.  The file will be saved in X.509
format. -7 can be used to save the file in PKCS #7 format
-s                 Indicate the store is a system store
-r    <location>   The system store location
<currentUser|localMachine> Default to ‘currentUser’
-c                 Certificates in the store
-crl               Certificates revocation lists(CRLs) in the store
-ctl               Certificates trust lists(CTLs) in the store
-v                 Verbose display of the certificates/CRLs/CTLs
-all               All certificates/CRLs/CTLs in the store
-n    <name>       Common name of the certificate
-sha1 <thumbPrint> The sha1 hash of the certificate/CRLs/CTLs
-7                 Save the destination store in PKCS #7 format
-e    <encode>     Certificate/CRL/CTL encoding type.
Default to X509_ASN_ENCODING
-f    <flag>       CertStore open flags.  Meaningful only if -y is set
-y    <provider>   CertStore provider name

Note the “-s” and “-r” options. The “-r” allows you to override the default currentUser and specify instead localMachine.

Once you’ve chosen User or Machine the “-s” points to which system certificate store you want to access.

HKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates
   AuthRoot
   CA
   Disallowed
   MY
   Root
   Trust
   TrustedPeople
   TrustedPublisher
   UserDS

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates
   AuthRoot
   CA
   Disallowed
   MY
   Root
   Trust
   TrustedDevices
   TrustedPeople
   TrustedPublisher
   UserDS

Examples:

C:\temp\>certmgr -s -r localMachine MY
C:\temp\>certmgr -s -r localMachine Root
C:\temp\>certmgr -s MY

See this site for more details: http://certificate.fyicenter.com/680_Tutorial_Windows__certmgr.exe_Certificate_Management_Comman.html


Leave a comment