Man Linux: Main Page and Category List


       certmgr - Mono Certificate Manager (CLI version)


       certmgr  [action]  [object  type] [options] store [filename] or certmgr
       -ssl [options] url


       This  tool  allow  to  list,  add,  remove  or  extract   certificates,
       certificate  revocation  lists  (CRL)  or certificate trust lists (CTL)
       to/from a certificate store. Certificate stores are used to  build  and
       validate certificate chains for Authenticode(r) code signing validation
       and SSL server certificates.


       -list  List the certificates, CTL or CTL in the specified store.

       -add   Add a certificate, CRL or CTL to specified store.

       -del   Remove a certificate, CRL or CTL from specified store. You  must
              specify the object to be removed with it's hash value (and not a
              filename). This hash value is shown when doing a  -list  on  the

       -put   Copy a certificate, CRL or CTL from a store to a file.

       -ssl   Download  and add the certificates from a SSL session. You'll be
              asked to confirm the addition of every certificate received from
              the server. Note that SSL/TLS protocols do not requires a server
              to send the root certificate.  This action assume an certificate
              (-c) object type and will import the certificates in appropriate
              stores (i.e. server certificate in the  OtherPeople  store,  the
              root  certificate  in  the  Trust  store, any other intermediate
              certificates in the IntermediateCA store).


       -c , -cert , -certificate
              Add, Delete or Put certificates.  That  is  the  specified  file
              must/will contains X.509 certificates in DER binary encoding.

       -crl   Add,  Delete  or Put certificate revocation lists (CRL). That is
              the specified file must/will contains X.509 CRL  in  DER  binary

       -ctl   Add, Delete or Put certificate trust lists (CRL). UNSUPPORTED.


       -m     Use  the  machine's  certificate  stores (instead of the default
              user's stores).

       -v     More details displayed on the console.

       -help , -h , -? , /?
              Display help about this tool.


       WARNING: This details the current behavior of  Mono  and  could  change
       between  releases.   The  only  safe  way  to interact with certificate
       stores is to use the certmgr tool. The current releases of  Mono  keeps
       all   the  user  certificate  stores  in  separates  directories  under

       For example the trusted root certificates for  a  user  would  be  kept

       Certificates files are kept in DER (binary) format (extension .cer).

       The filenames either starts with
              tbp (thumbprint) or ski (subject key identifier).

       The rest of the filename is the base64-encoded value (tbp or ski).


       mono certmgr.exe -list -c -m Trust
              List all certificates in the  machine  Trust  store.  This  will
              display  the  hash value for each certificate. This value can be
              used to identify uniquely  a  certificate  for  some  operations
              (e.g.         delete).         E.g.          Unique        Hash:

       mono        certmgr.exe        -del         -c         -m         Trust
              Remove the certificate, represented by the hash value, from  the
              machine  Trust  store.  Note  that the machine store is normally
              restricted. The following  error  message  will  appear  if  the
              current  user  doesn't  have the minimum access rights to remove
              the certificate: Access to the machine 'Trust' certificate store
              has been denied.

       certmgr -ssl
              Import  certificates  from  used for HTTP over
              SSL.  See  KNOWN  ISSUES  (MD2)  if  you're   downloading   from

       certmgr -ssl ldaps://
              Import the certificates from used for secure LDAP.
              This works even if we don't know how to speak  LDAP  because  we
              stop  the  communication  shortly after the SSL handshake (which
              gives us the certificate).


       MD2    Some Certificate Authorities (CA) old root certificates use  the
              MD2  hash  algorithm.  MD2  is  old enough not to be part of the
              standard .NET framework.  This makes it impossible to validate a
              digital signature made with MD2. For this reason MD2 is included
              in the Mono.Security.dll assembly.  However  the  machine.config
              file must be updated so the OID for MD2 is known at runtime.

              To  correct  this  insert  the  following XML snippet inside the
              <configuration> element of your machine.config file.
              monoMD2="Mono.Security.Cryptography.MD2Managed,   Mono.Security,
              Version=1.0.5000.0,                             Culture=neutral,
              PublicKeyToken=0738eb9f132ed756" />
                      <nameEntry name="MD2" class="monoMD2" />
                      <oidEntry OID="1.2.840.113549.2.2" name="MD2" />


       Written by Sebastien Pouliot


       Copyright (C) 2004-2005 Novell.


       Visit for details.


       Visit for details