policy to be updated (as the hash value will have changed).
.TP
.I -pub [-cert certificate | -file signedfile | -hex rawdata]
-This condition specify a specific X.509 Authenticode(r) certificate that
-must signed an assembly to be satisfied. The certificate can be referenced
+This condition specify a X.509 Authenticode(r) certificate that must have
+signed an assembly in order to be satisfied. The certificate can be referenced
as a file (binary DER), a signed file (containing the certificate) or with
the hexadecimal value of the certificate. Note that files outside the
policy must also be protected against tempering.
.TP
+.I -strong -file filename [name | -noname] [version | -noversion]
+This condition specify a specific StrongName that must have signed an
+assembly to be satisfied. Use -noname if the assembly name isn't known
+(or important) and -version if the version isn't known (or important) in
+the resolution.
+.TP
.I -site hostname
This condition specify the site from where the assembly must come from to
be satisfied.
.SH SYNOPSIS
.PP
.B certmgr [action] [object type] [options] store [filename]
+or
+.B certmgr -ssl [options] url
.SH DESCRIPTION
This tool allow to add, remove or extract certificates, certificate revocation
lists (CRL) or certificate trust lists (CTL) to/from a certificate store.
.TP
.I "-put"
Copy a certificate, CRL or CTL from a store to a file.
+.TP
+.I "-ssl"
+Download and add the certificates from a SSL session. You'll be asked to
+confirm the addition of every certificate received from the server. Note
+that SSL/TLS protocols do not requires a server to send the root certificate.
+This action assume an certificate (-c) object type and will import the
+certificates in appropriate stores (i.e. server certificate in the
+OtherPeople store, the root certificate in the Trust store, any other
+intermediate certificates in the IntermediateCA store).
+
.SH OBJECT TYPES
.TP
.I "-c", "-cert", "-certificate"
.TP
.I "-ctl"
Add, Delete or Put certificate trust lists (CRL). UNSUPPORTED.
+
.SH OPTIONS
.TP
-.I "-v", "-verbose"
+.I "-m"
+Use the machine's certificate stores (instead of the default user's stores).
+.TP
+.I "-v"
More details displayed on the console.
.TP
.I "-help", "-h", "-?", "/?"
Display help about this tool.
+
.SH FILES
.B WARNING: This details the current behavior of Mono and could change between releases.
The only safe way to interact with certificate stores is to use the certmgr
tool. The current releases of Mono keeps all the user certificate stores in
separates directories under
-.I ~/.mono/certs/
+.I ~/.config/.mono/certs/
.TP
For example the trusted root certificates for a user would be kept under
-.I ~/.mono/certs/Trust/
+.I ~/.config/.mono/certs/Trust/
.TP
Certificates files are kept in DER (binary) format (extension .cer).
.TP
(subject key identifier).
.TP
The rest of the filename is the base64-encoded value (tbp or ski).
+
+.SH EXAMPLES
+.TP
+.B certmgr -ssl https://www.verisign.com
+Import certificates from www.verisign.com used for HTTP over SSL. See KNOWN
+ISSUES (MD2) if you're downloading from www.verisign.com.
+.TP
+.B certmgr -ssl ldaps://www.nldap.com:636
+Import the certificates from www.nldap.com used for secure LDAP. This works
+even if we don't know how to speak LDAP because we stop the communication
+shortly after the SSL handshake (which gives us the certificate).
+
+.SH KNOWN ISSUES
+.TP
+.B MD2
+Some Certificate Authorities (CA) old root certificates use the MD2 hash
+algorithm. MD2 is old enough not to be part of the standard .NET framework.
+This makes it impossible to validate a digital signature made with MD2. For
+this reason MD2 is included in the Mono.Security.dll assembly. However the
+machine.config file must be updated so the OID for MD2 is known at runtime.
+
+To correct this insert the following XML snippet inside the <configuration>
+element of your machine.config file.
+ <mscorlib>\r
+ <cryptographySettings>\r
+ <cryptoNameMapping>\r
+ <cryptoClasses>\r
+ <cryptoClass monoMD2="Mono.Security.Cryptography.MD2Managed, Mono.Security, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=0738eb9f132ed756" />\r
+ </cryptoClasses>\r
+ <nameEntry name="MD2" class="monoMD2" />\r
+ </cryptoNameMapping>\r
+ <oidMap>\r
+ <oidEntry OID="1.2.840.113549.2.2" name="MD2" />\r
+ </oidMap>\r
+ </cryptographySettings>\r
+ </mscorlib>
+
.SH AUTHOR
Written by Sebastien Pouliot
.SH COPYRIGHT
Mono runtime configuration file. See the mono-config(5) manual page
for more information.
.PP
-~/.mono/certs
+~/.config/.mono/certs
.PP
-Contains Mono certificates
+Contains Mono certificate stores. See the certmgr(1) manual page for
+more information.
.SH MAILING LISTS
Visit http://mail.ximian.com/mailman/mono-list for details.
.SH WEB SITE
Visit: http://www.go-mono.com for details
.SH SEE ALSO
-.BR mcs(1), mint(1), monodis(1), mono-config(5).
+.BR mcs(1), mint(1), monodis(1), mono-config(5), certmgr(1).
.PP
For ASP.NET-related documentation, see the xsp(1) manual page
projects / mono.git / commitdiff