2 .\" certmgr manual page.
3 .\" Copyright 2004-2005 Novell
4 .\" Copyright 2010 Pablo Ruiz
6 .\" Sebastien Pouliot <sebastien@ximian.com>
7 .\" Pablo Ruiz Garcia <pruiz@netway.org>
11 certmgr \- Mono Certificate Manager (CLI version)
14 .B certmgr [action] [object type] [options] store [filename]
16 .B certmgr -ssl [options] url
18 This tool allow to list, add, remove or extract certificates, certificate
19 revocation lists (CRL) or certificate trust lists (CTL) to/from a
20 certificate store. Certificate stores are used to build and validate
21 certificate chains for Authenticode(r) code signing validation and SSL
26 represents the certificate store to use. It can be one of the
30 This is the personal certificate store.
33 This is the store for other people.
36 This is a store for intermediate certificate authorities.
39 This is for trusted roots.
42 This is for untrusted roots
46 List the certificates, CTL or CTL in the specified store.
49 Add a certificate, CRL or CTL to specified store. If filename it's a pkcs12
50 or pfx file, and it contains a private key, it will be imported to local key
54 Remove a certificate, CRL or CTL from specified store. You must specify the
55 object to be removed with it's hash value (and not a filename). This hash
56 value is shown when doing a
61 Copy a certificate, CRL or CTL from a store to a file.
64 Download and add the certificates from a SSL session. You'll be asked to
65 confirm the addition of every certificate received from the server. Note
66 that SSL/TLS protocols do not requires a server to send the root certificate.
67 This action assume an certificate (-c) object type and will import the
68 certificates in appropriate stores (i.e. server certificate in the
69 OtherPeople store, the root certificate in the Trust store, any other
70 intermediate certificates in the IntermediateCA store).
73 Allows importing a private key from a pkcs12 file into a local key pair
74 store. (Usefull when you already have the key's corresponding certificate
75 installed at the specific store.)
79 .I "-c", "-cert", "-certificate"
80 Add, Delete or Put certificates. That is the specified file must/will contains
81 X.509 certificates in DER binary encoding.
84 Add, Delete or Put certificate revocation lists (CRL). That is the specified
85 file must/will contains X.509 CRL in DER binary encoding.
88 Add, Delete or Put certificate trust lists (CRL). UNSUPPORTED.
93 Use the machine's certificate stores (instead of the default user's stores).
96 More details displayed on the console.
99 Use the specify password when accessing a pkcs12 file.
101 .I "-help", "-h", "-?", "/?"
102 Display help about this tool.
105 .B WARNING: This details the current behavior of Mono and could change between releases.
106 The only safe way to interact with certificate stores is to use the certmgr
107 tool. The current releases of Mono keeps all the user certificate stores in
108 separates directories under
109 .I ~/.config/.mono/certs/
111 For example the trusted root certificates for a user would be kept under
112 .I ~/.config/.mono/certs/Trust/
114 Certificates files are kept in DER (binary) format (extension .cer).
116 The filenames either starts with
120 (subject key identifier).
122 The rest of the filename is the base64-encoded value (tbp or ski).
124 Private key data is stored under
125 .I ~/.config/.mono/keypairs/
129 .B mono certmgr.exe -list -c -m Trust
130 List all certificates in the machine Trust store. This will display the hash
131 value for each certificate. This value can be used to identify uniquely a
132 certificate for some operations (e.g. delete). E.g.
133 .B Unique Hash: FFA3AC0084DA1673B5A031EBB2156B3E8FBBF6D8
135 .B mono certmgr.exe -del -c -m Trust FFA3AC0084DA1673B5A031EBB2156B3E8FBBF6D8
136 Remove the certificate, represented by the hash value, from the machine Trust
137 store. Note that the machine store is normally restricted. The following
138 error message will appear if the current user doesn't have the minimum access
139 rights to remove the certificate:
140 .B Access to the machine 'Trust' certificate store has been denied.
142 .B certmgr -ssl https://www.verisign.com
143 Import certificates from www.verisign.com used for HTTP over SSL. See KNOWN
144 ISSUES (MD2) if you're downloading from www.verisign.com.
146 .B certmgr -ssl ldaps://www.nldap.com:636
147 Import the certificates from www.nldap.com used for secure LDAP. This works
148 even if we don't know how to speak LDAP because we stop the communication
149 shortly after the SSL handshake (which gives us the certificate).
154 Some Certificate Authorities (CA) old root certificates use the MD2 hash
155 algorithm. MD2 is old enough not to be part of the standard .NET framework.
156 This makes it impossible to validate a digital signature made with MD2. For
157 this reason MD2 is included in the Mono.Security.dll assembly. However the
158 machine.config file must be updated so the OID for MD2 is known at runtime.
160 To correct this insert the following XML snippet inside the <configuration>
161 element of your machine.config file.
163 <cryptographySettings>
166 <cryptoClass monoMD2="Mono.Security.Cryptography.MD2Managed, Mono.Security, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=0738eb9f132ed756" />
168 <nameEntry name="MD2" class="monoMD2" />
171 <oidEntry OID="1.2.840.113549.2.2" name="MD2" />
173 </cryptographySettings>
177 Written by Sebastien Pouliot
179 Minor additions by Pablo Ruiz GarcĂa
181 Copyright (C) 2004-2005 Novell.
183 Visit http://lists.ximian.com/mailman/listinfo/mono-list for details.
185 Visit http://www.mono-project.com for details
187 .BR makecert(1), setreg(1)