If you’ve ever seen certmgr.exe in Task Manager or tried to manage SSL certificates on Windows, you’re in the right place. This guide explains exactly what certmgr.exe is, what it does, how to use it, and how to fix common problems with it.
What Is certmgr.exe?
certmgr.exe is the Certificate Manager tool built into Windows. It lets you view, import, export, and delete digital certificates stored on your computer. These certificates are used to verify identities, encrypt connections, and establish trust between your machine and websites, apps, or networks.
Think of it like a secure wallet. Windows keeps all its trusted certificates inside this wallet, and certmgr.exe is the key that lets you open and manage it.
There are actually two versions of this tool on Windows:
- certmgr.msc is the graphical snap-in that opens in the Microsoft Management Console (MMC). Most regular users interact with this one.
- certmgr.exe is a command-line tool that comes with the Windows SDK and is mainly used by developers and IT professionals.
When most people say “certmgr.exe,” they usually mean the certificate management system as a whole, including the GUI version.
Where Is certmgr.exe Located?
On Windows, you can find the certificate manager at:
C:\Windows\System32\certmgr.msc
The SDK-based command-line certmgr.exe is usually found at:
C:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\certmgr.exe
If you just want to open the certificate manager quickly, press Win + R, type certmgr.msc, and press Enter. That opens the full GUI tool for the current user’s certificate store.
For the local machine’s certificate store (which covers all users and services), type certlm.msc instead.
How Digital Certificates Work on Windows
Before diving into the tool itself, it helps to understand what certificates actually are.
A digital certificate is a file that proves identity. When your browser connects to a website over HTTPS, the site sends a certificate. Windows checks that certificate against its list of trusted Certificate Authorities (CAs) stored in certmgr. If the chain of trust checks out, the connection is allowed. If not, you get a warning.
Certificates have a few key properties:
| Property | What It Means |
|---|---|
| Issued To | The entity the certificate belongs to |
| Issued By | The Certificate Authority that signed it |
| Valid From / To | The date range when the certificate is trusted |
| Thumbprint | A unique fingerprint for that specific certificate |
| Purpose | What the certificate is allowed to do |
Windows organizes certificates into stores, and certmgr.exe lets you navigate all of them.
The Certificate Stores in Windows
When you open certmgr.msc, you see several folders on the left. Each is a different store.
Personal holds certificates that belong to you and have a matching private key. These are used for things like email signing, smart card login, or authenticating to a VPN.
Trusted Root Certification Authorities is one of the most important stores. It lists all the root CAs your system trusts by default. If a root CA is here, Windows trusts every certificate that CA has issued.
Intermediate Certification Authorities holds the middle layer of the certificate chain. Most certificates issued to websites or apps are not signed directly by a root CA. They are signed by an intermediate CA, which is itself signed by the root.
Trusted Publishers is used by Windows to decide which software publishers are allowed to run without security prompts.
Untrusted Certificates is a blocklist. Certificates placed here are explicitly distrusted, even if they would otherwise be valid.
Third-Party Root Certification Authorities covers additional root CAs beyond Microsoft’s built-in list.
How to Open certmgr.exe (Multiple Methods)
Method 1: Run Dialog Press Win + R, type certmgr.msc, hit Enter. This opens the user certificate store.
Method 2: Start Menu Search Click the Start button, type “Manage user certificates,” and click the result.
Method 3: Command Prompt or PowerShell Open a terminal and type:
certmgr.msc
Method 4: Computer Management Open Computer Management, go to Services and Applications, then you can navigate to certificates if the snap-in is added.
Method 5: For the Local Machine Store Press Win + R, type certlm.msc. This requires administrator rights and shows certificates for the entire machine, not just your user account.
How to View a Certificate
- Open certmgr.msc
- Expand the store you want (for example, “Trusted Root Certification Authorities”)
- Click “Certificates” inside it
- Double-click any certificate in the right pane
- A window opens showing all the details, including the issuer, expiry date, and intended purposes
The “Details” tab shows every field in the certificate. The “Certification Path” tab shows how the certificate chains back to a root CA.
How to Import a Certificate Using certmgr.exe
Importing is useful when you have a certificate file (usually .cer, .crt, .pfx, or .p12) and need to add it to Windows so it’s trusted.
- Open certmgr.msc
- Right-click the store where you want to import (for example, “Trusted Root Certification Authorities”)
- Select All Tasks > Import
- The Certificate Import Wizard opens. Click Next.
- Browse to your certificate file and select it
- Choose the store location (it usually suggests the right one)
- Click Next, then Finish
- If prompted with a security warning for root certificates, click Yes only if you trust the source
For PFX files (which contain a private key), you will be asked for a password during import.
Using Command Line (SDK certmgr.exe):
certmgr.exe -add certificate.cer -s -r localMachine Root
This adds a certificate to the local machine’s Trusted Root store. You need admin rights.
How to Export a Certificate
Exporting is useful for backups or moving certificates between machines.
- Open certmgr.msc
- Find the certificate you want to export
- Right-click it and select All Tasks > Export
- The Export Wizard opens. Click Next.
- If the certificate has a private key and you want to export that too, select “Yes, export the private key” (you will need to set a password)
- If exporting just the public certificate, choose “No, do not export the private key”
- Select the format (DER encoded .cer is common for public certs; PFX is needed for private keys)
- Choose a file name and location
- Click Finish
Keep exported PFX files safe. They contain your private key and are sensitive.
How to Delete a Certificate
Deleting a certificate removes it from the store. Only delete certificates you are sure about. Removing a trusted root certificate can break SSL connections for many websites.
- Open certmgr.msc
- Navigate to the certificate
- Right-click it and click Delete
- Confirm the deletion
To delete via the command line:
certmgr.exe -del -c -n "Certificate Name" -s -r localMachine Root
How to Use certmgr.exe from the Command Line
The SDK version of certmgr.exe is powerful for scripting and automation. Here are the main flags:
| Flag | Purpose |
|---|---|
| -add | Adds a certificate to a store |
| -del | Deletes a certificate from a store |
| -put | Copies a certificate to a file |
| -s | Specifies a system store |
| -r | Specifies registry location (currentUser or localMachine) |
| -c | Operates on certificates |
| -crl | Operates on Certificate Revocation Lists |
| -v | Verbose output |
Example: Add a certificate to the current user’s Personal store
certmgr.exe -add mycert.cer -s My
Example: List all certificates in the Root store
certmgr.exe -s Root
Example: Delete by name from the root store
certmgr.exe -del -c -n "My Company Root CA" -s Root
For more detail on command syntax, Microsoft’s official documentation at learn.microsoft.com covers every flag with examples.
Common certmgr.exe Problems and How to Fix Them
Certificate Is Not Trusted
Symptom: You get SSL errors or “certificate not trusted” warnings.
Fix: The issuing CA is probably not in your Trusted Root store. Import the root certificate for that CA. Ask your IT team or the software vendor for the root CA certificate file.
certmgr.msc Shows No Certificates
This can happen if you opened it as a different user than expected. Remember: certmgr.msc shows the current user’s store. If you need the machine store, use certlm.msc instead.
Cannot Import a Certificate (Access Denied)
You need administrator rights to import into the local machine store. Right-click the certlm.msc shortcut or command prompt and select “Run as Administrator.”
Certificate Is Expired
An expired certificate cannot be used for new connections. You need to request or obtain a renewed certificate from the CA and import it. Keep the old one until you confirm the new one works.
Private Key Is Missing
If you exported a certificate without the private key and now need it, you may not be able to recover it. Always export PFX files (with private key) when backing up personal certificates.
certmgr.exe Is Not Recognized in Command Prompt
This means you are using the built-in Windows certmgr.msc, not the SDK tool. The SDK certmgr.exe is only available if you install the Windows Software Development Kit. You can download the Windows SDK from developer.microsoft.com.
Is certmgr.exe Safe? Could It Be Malware?
The legitimate certmgr.exe lives in C:\Windows\System32\ or inside the Windows SDK folder. If you see certmgr.exe running from a different location (like AppData, Temp, or a random folder), that is suspicious.
Malware sometimes uses names like certmgr.exe to disguise itself. Here is how to check:
- Open Task Manager
- Find certmgr.exe in the list
- Right-click and choose “Open File Location”
- If the path is not
C:\Windows\System32\, investigate further
You can also right-click the file in System32, go to Properties > Digital Signatures, and verify it is signed by Microsoft.
certmgr.exe vs Other Certificate Tools on Windows
| Tool | Type | Use Case |
|---|---|---|
| certmgr.msc | GUI (MMC snap-in) | Managing user certificates visually |
| certlm.msc | GUI (MMC snap-in) | Managing local machine certificates |
| certmgr.exe (SDK) | Command-line | Scripting, automation, .NET development |
| certutil.exe | Command-line | Built-in Windows tool for certificates |
| PowerShell (Get-Certificate) | Scripting | Managing certificates via PowerShell |
certutil.exe is actually more powerful and always available without installing the SDK. For most command-line certificate tasks on Windows in 2026, certutil is the better choice.
Example with certutil to list all root certificates:
certutil -store Root
Managing Certificates with PowerShell
PowerShell gives you more flexibility than the GUI or certmgr.exe for automation.
List all personal certificates:
Get-ChildItem -Path Cert:\CurrentUser\My
List all trusted root certificates:
Get-ChildItem -Path Cert:\LocalMachine\Root
Import a certificate:
Import-Certificate -FilePath "C:\cert.cer" -CertStoreLocation Cert:\LocalMachine\Root
Remove a certificate by thumbprint:
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "YOURTHUMBPRINTHERE"} | Remove-Item
PowerShell is the recommended approach for managing certificates in automated deployments and enterprise environments.
Best Practices for Certificate Management in Windows
- Always back up certificates with private keys before making changes. Export as PFX with a strong password.
- Never import root certificates from sources you do not trust. A rogue root CA can be used to intercept encrypted traffic.
- Check certificate expiry dates regularly. Expired certificates cause service outages.
- Use certlm.msc (local machine store) for server and system-wide certificates. Use certmgr.msc (user store) for personal certificates.
- Document what certificates you have imported manually and why. This helps during audits or when troubleshooting.
- In enterprise environments, use Group Policy to distribute trusted certificates across all machines automatically.
Conclusion
certmgr.exe is a core part of how Windows handles trust on the internet and within networks. Whether you use it through the GUI (certmgr.msc), the command line, or PowerShell, it gives you full control over which certificates your system trusts. For everyday users, the most important skill is knowing how to import a missing root or intermediate CA certificate when you hit SSL errors. For IT admins, knowing certutil.exe and PowerShell on top of certmgr.exe will cover almost every scenario. The key rule: only trust certificates from sources you have verified yourself.
Frequently Asked Questions
What is the difference between certmgr.msc and certlm.msc?
certmgr.msc manages certificates for the currently logged-in user. certlm.msc manages certificates for the local machine, meaning they apply to all users and system services. For server certificates and enterprise CA roots, you almost always want certlm.msc.
Can certmgr.exe be a virus?
The real certmgr.exe from Microsoft is safe. If the file is running from a location other than C:\Windows\System32 or the official Windows SDK path, it could be malware pretending to use a trusted name. Check the file location and verify the digital signature in its properties.
How do I fix “certificate not trusted” errors in Windows?
Open certmgr.msc or certlm.msc, go to the Trusted Root Certification Authorities store, and import the root CA certificate for the service that is failing. The certificate file should come from the vendor or your IT team, not a random website.
Do I need the Windows SDK to use certmgr.exe from the command line?
Yes. The command-line certmgr.exe only comes with the Windows SDK. If you want a built-in command-line certificate tool, use certutil.exe instead, which is already installed on every Windows machine. It is more feature-rich anyway.
How often should I clean up old certificates in Windows?
For personal machines, once a year is reasonable. Look for expired certificates in the Personal store and remove ones you no longer need. For servers and enterprise machines, build this into your regular maintenance cycle. Never delete root CA certificates unless you are certain they are no longer needed, as removing them can break multiple applications at once.
- How to Fix Overscan on Windows 11/10: Stop Your Screen Getting Cut Off (2026) - April 1, 2026
- How to Disable Lock Screen on Windows 11/10 in 2026 - April 1, 2026
- Top 7 NFT Integration Ideas for Brands in 2026 - March 31, 2026