Provided by: mono-devel_4.2.1.102+dfsg2-7ubuntu4_all bug

NAME

       certmgr - Mono Certificate Manager (CLI version)

SYNOPSIS

       certmgr [action] [object type] [options] store [filename] or certmgr -ssl [options] url

DESCRIPTION

       This tool allow to list, add, remove or extract certificates, certificate revocation lists
       (CRL) or certificate trust lists (CTL) to/from a certificate store. Certificate stores are
       used  to build and validate certificate chains for Authenticode(r) code signing validation
       and SSL server certificates.

STORES

       The store represents the certificate store to use.   It can be one of the following:

       My     This is the personal certificate store.

       AddressBook
              This is the store for other people.

       CA     This is a store for intermediate certificate authorities.

       Trust  This is for trusted roots.

       Disallowed
              This is for untrusted roots

ACTIONS

       -list  List the certificates, CTL or CTL in the specified store.

       -add   Add a certificate, CRL or CTL to specified store. If filename it's a pkcs12 or  pfx
              file,  and  it  contains  a  private  key,  it  will  be imported to local key pair
              container.

       -del   Remove a certificate, CRL or CTL from specified store. You must specify the  object
              to  be  removed with it's hash value (and not a filename). This hash value is shown
              when doing a -list on the store.

       -put   Copy a certificate, CRL or CTL from a store to a file.

       -ssl   Download and add the certificates from a SSL session. You'll be  asked  to  confirm
              the  addition  of  every  certificate  received  from the server. Note that SSL/TLS
              protocols do not requires a server to  send  the  root  certificate.   This  action
              assume  an  certificate  (-c)  object  type  and  will  import  the certificates in
              appropriate stores (i.e. server certificate in  the  OtherPeople  store,  the  root
              certificate  in  the  Trust  store,  any  other  intermediate  certificates  in the
              IntermediateCA store).

       -importKey
              Allows importing a private key from a pkcs12 file into  a  local  key  pair  store.
              (Usefull when you already have the key's corresponding certificate installed at the
              specific store.)

OBJECT TYPES

       -c , -cert , -certificate
              Add, Delete or Put certificates. That is  the  specified  file  must/will  contains
              X.509 certificates in DER binary encoding.

       -crl   Add,  Delete  or Put certificate revocation lists (CRL). That is the specified file
              must/will contains X.509 CRL in DER binary encoding.

       -ctl   Add, Delete or Put certificate trust lists (CRL). UNSUPPORTED.

OPTIONS

       -m     Use the machine's certificate stores (instead of the default user's stores).

       -v     More details displayed on the console.

       -p password
              Use the specify password when accessing a pkcs12 file.

       -help , -h , -? , /?
              Display help about this tool.

FILES

       WARNING: This details the current behavior of Mono and could change between releases.  The
       only  safe way to interact with certificate stores is to use the certmgr tool. The current
       releases of Mono keeps all the user certificate  stores  in  separates  directories  under
       ~/.config/.mono/certs/

       For example the trusted root certificates for a user would be kept under
              ~/.config/.mono/certs/Trust/

       Certificates files are kept in DER (binary) format (extension .cer).

       The filenames either starts with
              tbp (thumbprint) or ski (subject key identifier).

       The rest of the filename is the base64-encoded value (tbp or ski).

       Private key data is stored under
              ~/.config/.mono/keypairs/

EXAMPLES

       mono certmgr.exe -list -c -m Trust
              List  all certificates in the machine Trust store. This will display the hash value
              for each certificate. This value can be used to identify uniquely a certificate for
              some       operations       (e.g.       delete).       E.g.       Unique      Hash:
              FFA3AC0084DA1673B5A031EBB2156B3E8FBBF6D8

       mono certmgr.exe -del -c -m Trust FFA3AC0084DA1673B5A031EBB2156B3E8FBBF6D8
              Remove the certificate, represented by the  hash  value,  from  the  machine  Trust
              store.  Note  that  the  machine  store is normally restricted. The following error
              message will appear if the current user doesn't have the minimum access  rights  to
              remove  the  certificate:  Access to the machine 'Trust' certificate store has been
              denied.

       certmgr -ssl https://www.verisign.com
              Import certificates from www.verisign.com used for HTTP over SSL. See KNOWN  ISSUES
              (MD2) if you're downloading from www.verisign.com.

       certmgr -ssl ldaps://www.nldap.com:636
              Import the certificates from www.nldap.com used for secure LDAP. This works even if
              we don't know how to speak LDAP because we stop the communication shortly after the
              SSL handshake (which gives us the certificate).

KNOWN ISSUES

       MD2    Some Certificate Authorities (CA) old root certificates use the MD2 hash algorithm.
              MD2 is old enough not to be part of the standard .NET  framework.   This  makes  it
              impossible  to  validate  a digital signature made with MD2. For this reason MD2 is
              included in the Mono.Security.dll assembly. However the machine.config file must be
              updated so the OID for MD2 is known at runtime.

              To correct this insert the following XML snippet inside the <configuration> element
              of your machine.config file.
                <mscorlib>
                  <cryptographySettings>
                    <cryptoNameMapping>
                      <cryptoClasses>
                        <cryptoClass              monoMD2="Mono.Security.Cryptography.MD2Managed,
              Mono.Security,                 Version=1.0.5000.0,                 Culture=neutral,
              PublicKeyToken=0738eb9f132ed756" />
                      </cryptoClasses>
                      <nameEntry name="MD2" class="monoMD2" />
                    </cryptoNameMapping>
                    <oidMap>
                      <oidEntry OID="1.2.840.113549.2.2" name="MD2" />
                    </oidMap>
                  </cryptographySettings>
                </mscorlib>

AUTHOR

       Written by Sebastien Pouliot

       Minor additions by Pablo Ruiz GarcĂ­a

COPYRIGHT

       Copyright (C) 2004-2005 Novell.

MAILING LISTS

       Visit http://lists.ximian.com/mailman/listinfo/mono-list for details.

WEB SITE

       Visit http://www.mono-project.com for details

SEE ALSO

       makecert(1),setreg(1)

                                                                                    Mono(certmgr)