1Mono(certmgr)                                                    Mono(certmgr)
2
3
4

NAME

6       certmgr - Mono Certificate Manager (CLI version)
7

SYNOPSIS

9       certmgr  [action]  [object  type] [options] store [filename] or certmgr
10       -ssl [options] url
11

DESCRIPTION

13       This tool allows to list, add, remove or extract certificates, certifi‐
14       cate  revocation lists (CRL) or certificate trust lists (CTL) to/from a
15       certificate store. Certificate stores are used to  build  and  validate
16       certificate  chains for Authenticode(r) code signing validation and SSL
17       server certificates.
18

STORES

20       The store represents the certificate store to use. It can be one of the
21       following:
22
23       My     This is the personal certificate store.
24
25       AddressBook
26              This is the store for other people.
27
28       CA     This is a store for intermediate certificate authorities.
29
30       Trust  This is for trusted roots.
31
32       Disallowed
33              This is for untrusted roots
34

ACTIONS

36       -list  List the certificates, CTL or CTL in the specified store.
37
38       -add   Add a certificate, CRL or CTL to specified store. If filename is
39              a pkcs12 or pfx file, and it contains a private key, it will  be
40              imported to local key pair container.
41
42       -del   Remove  a certificate, CRL or CTL from specified store. You must
43              specify the object to be removed with it's hash value (and not a
44              filename).  This  hash  value is shown when doing a -list on the
45              store.
46
47       -put   Copy a certificate, CRL or CTL from a store to a file.
48
49       -ssl   Download and add the certificates from a SSL session. You'll  be
50              asked to confirm the addition of every certificate received from
51              the server. Note that SSL/TLS protocols do not requires a server
52              to send the root certificate.  This action assumes a certificate
53              (-c) object type and will import the certificates in appropriate
54              stores  (i.e.  server  certificate in the OtherPeople store, the
55              root certificate in the Trust store and any  other  intermediate
56              certificates in the IntermediateCA store).
57
58       -importKey
59              Allows  importing  a private key from a pkcs12 file into a local
60              key pair store. (Useful when you already have the  key's  corre‐
61              sponding certificate installed at the specific store.)
62
63

OBJECT TYPES

65       -c , -cert , -certificate
66              Add,  Delete  or  Put  certificates.  That is the specified file
67              must/will contain X.509 certificates in DER binary encoding.
68
69       -crl   Add, Delete or Put certificate revocation lists (CRL).  That  is
70              the  specified  file  must/will  contain X.509 CRL in DER binary
71              encoding.
72
73       -ctl   Add, Delete or Put certificate trust lists (CRL). UNSUPPORTED.
74
75

OPTIONS

77       -m     Use the machine's certificate stores  (instead  of  the  default
78              user's stores).
79
80       -v     More details displayed on the console.
81
82       -p password
83              Use the specified password when accessing a pkcs12 file.
84
85       -help , -h , -? , /?
86              Display help about this tool.
87
88

FILES

90       WARNING:  This  details  the  current behavior of Mono and could change
91       between releases.  The only  safe  way  to  interact  with  certificate
92       stores  is  to use the certmgr tool. The current releases of Mono keeps
93       all the user certificate stores in separates directories under  ~/.con‐
94       fig/.mono/certs/
95
96       For  example  the  trusted  root  certificates for a user would be kept
97       under
98              ~/.config/.mono/certs/Trust/
99
100       Certificates files are kept in DER (binary) format (extension .cer).
101
102       The filenames either start with
103              tbp (thumbprint) or ski (subject key identifier).
104
105       The rest of the filename is the base64-encoded value (tbp or ski).
106
107       Private key data is stored under
108              ~/.config/.mono/keypairs/
109
110

EXAMPLES

112       mono certmgr.exe -list -c -m Trust
113              List all certificates in the machine Trust store. This will dis‐
114              play the hash value for each certificate. This value can be used
115              to identify uniquely a certificate  for  some  operations  (e.g.
116              delete).              E.g.              Unique             Hash:
117              FFA3AC0084DA1673B5A031EBB2156B3E8FBBF6D8
118
119       mono        certmgr.exe        -del         -c         -m         Trust
120       FFA3AC0084DA1673B5A031EBB2156B3E8FBBF6D8
121              Remove  the certificate, represented by the hash value, from the
122              machine Trust store. Note that the  machine  store  is  normally
123              restricted.  The following error message will appear if the cur‐
124              rent user doesn't have the minimum access rights to  remove  the
125              certificate: Access to the machine 'Trust' certificate store has
126              been denied.
127
128       certmgr -ssl https://www.verisign.com
129              Import certificates from www.verisign.com  used  for  HTTP  over
130              SSL.   See   KNOWN  ISSUES  (MD2)  if  you're  downloading  from
131              www.verisign.com.
132
133       certmgr -ssl ldaps://www.nldap.com:636
134              Import the certificates from www.nldap.com used for secure LDAP.
135              This  works  even  if we don't know how to speak LDAP because we
136              stop the communication shortly after the  SSL  handshake  (which
137              gives us the certificate).
138
139

KNOWN ISSUES

141       MD2    Some  Certificate Authorities (CA) old root certificates use the
142              MD2 hash algorithm. MD2 is old enough not  to  be  part  of  the
143              standard .NET framework.  This makes it impossible to validate a
144              digital signature made with MD2. For this reason MD2 is included
145              in  the  Mono.Security.dll  assembly. However the machine.config
146              file must be updated so the OID for MD2 is known at runtime.
147
148              To correct this insert the  following  XML  snippet  inside  the
149              <configuration> element of your machine.config file.
150                <mscorlib>
151                  <cryptographySettings>
152                    <cryptoNameMapping>
153                      <cryptoClasses>
154                        <cryptoClass         monoMD2="Mono.Security.Cryptogra‐
155              phy.MD2Managed, Mono.Security, Version=1.0.5000.0,  Culture=neu‐
156              tral, PublicKeyToken=0738eb9f132ed756" />
157                      </cryptoClasses>
158                      <nameEntry name="MD2" class="monoMD2" />
159                    </cryptoNameMapping>
160                    <oidMap>
161                      <oidEntry OID="1.2.840.113549.2.2" name="MD2" />
162                    </oidMap>
163                  </cryptographySettings>
164                </mscorlib>
165
166

AUTHOR

168       Written by Sebastien Pouliot
169
170       Minor additions by Pablo Ruiz García
171
173       Copyright (C) 2004-2005 Novell.
174

MAILING LISTS

176       Visit http://lists.ximian.com/mailman/listinfo/mono-list for details.
177

WEB SITE

179       Visit http://www.mono-project.com for details
180

SEE ALSO

182       makecert(1),setreg(1)
183
184
185
186                                                                 Mono(certmgr)
Impressum