81

I can start individual Management Console snap-ins by starting them directly without going through starting mmc.exe and selecting the snap-ins I want.

However, for certmgr.msc selecting in MMC gives me the option to load certmgr for the computer account, which is usually what I need. How can I load certmgr for the computer account from the command line?

StackzOfZtuff
  • 1,493
  • 1
  • 15
  • 23
Andrew J. Brehm
  • 5,140
  • 10
  • 47
  • 62

6 Answers6

132

If you have 2012R1/Win8 or later: You can use certlm.msc (Certificates Local Machine) instead of certmgr.msc. That will open the computer certificate store.

StackzOfZtuff
  • 1,493
  • 1
  • 15
  • 23
fgc
  • 1,329
  • 1
  • 8
  • 2
  • 1
    Thanks for this tip - copying certlm.msc from a Win8 machine is easier than creating a new msc file for my colleagues. – Scott Rhee Apr 24 '14 at 01:45
  • @ScottRhee, Are you sure that's going to work reliably? – Pacerier Nov 16 '14 at 22:15
  • @Pacerier, a few colleagues of mine tried that and I've got no problem so far. – Scott Rhee Nov 17 '14 at 03:44
  • A useful option of using `certlm.msc` over `certmgr.msc` is that it allows to change which computer's store you are working with. – AntoineL Oct 27 '17 at 12:59
  • 2
    @bmaupin: Yes; on the other hand, `.msc` files are XML files and are not signed, so you can drag the certlm.msc file from a 8/2012/10/2016 box to a 7/2008/Vista computer, and uses it there: it works exactly the same way there. – AntoineL Oct 27 '17 at 13:03
65

The previous answer confused me until I found that a couple of steps were not explicitly stated. Whenever I opened certmgr.msc it only showed me the Current User certs, rather than the ones for the Local Computer store. I found more details in this blog entry.

In case that link dissolves, you need to do these steps to access the different stores:

  1. Start → Run: mmc.exe
  2. Menu: FileAdd/Remove Snap-in
  3. Under Available snap-ins, select Certificates and press Add.
  4. Select Computer Account for the certificates to manage. Press Next.
  5. Select Local Computer and press Finish.
  6. Press OK to return to the management console.

Once you have the MMC set up, then you can save the msc with a new name per the above answer.

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
WiringHarness
  • 758
  • 5
  • 7
  • 2
    You need to be running `mmc` as an administrator to have step 4 available. – ivan_pozdeev Mar 23 '17 at 19:55
  • @tjmoore It's fine, once you have created the `.msc` file you do not need to load `mmc.exe` manually separately. I have gone a step further and added a shortcut to the `.msc` file to my Win+X menu. You need to adjust the options (File->Options) to put it in 'User mode' afterwards to prevent seeing the prompt to save changes constantly. Highlight Certificates in the left pane first to save you a navigation step every time you open it. – deed02392 Jan 29 '18 at 09:42
8

Save the .msc file to a file share and just call the UNC.

What I did was create the .msc file (as answered above) but I saved it to a network resource. When I go to the next server, I can call the UNC via the RUN and done the local computer's certificate manager opens up as the Computer Account too. I tested it across a couple different IIS boxes and found it was indeed unique and the computer's account. 

\\fileserver\share\certmgr_computeraccount.msc
David Ferenczy Rogožan
  • 814
  • 2
  • 10
  • 19
Mike
  • 104
  • 1
  • 1
2

Run mmc, select the snap-in, and save (File → Save) the console to your preferred location. Call it something like syscertmgr.msc. Run the saved console whenever you want the computer account's certificates.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • That involves starting MMC. I need to open certmgr without starting MMC, i.e. whenever I connect to a server and install my cert, I want to be able just to start certmgr without going through MMC and selecting the snap-in and that ritual. I am looking for a shorter ritual. You are giving me a longer ritual. – Andrew J. Brehm Feb 23 '11 at 23:25
  • @Andrew: However, you only need to do it *once*. The next time, your "ritual" would consist of 1) opening `syscertmgr.msc` that you created. You *cannot* force the built-in `certmgr.msc` do what it's not intended to do. – u1686_grawity Feb 24 '11 at 10:28
  • I only need to load the certificate once. On each server. We have four or five test environments for each production environments. I guess in the prod envs they actually update certs every year. But the test envs don't survive long enough so I'd never do that twice. – Andrew J. Brehm Feb 24 '11 at 15:26
  • @Andrew: Fine, create a console once and start it from a network share. :) (To quote the Help file of `certmgr`, "To switch between managing certificates for your user account, a computer, or a service, you must have separate instances of Certificates added into the console." This means that `certmgr` _really cannot switch to Computer mode_.) – u1686_grawity Feb 24 '11 at 18:00
  • @Andrew: `certutil -ImportPFX` – u1686_grawity Feb 24 '11 at 18:13
0

If you follow the instructions in @WiringHarness answer. On the 'Select Computer' screen, make sure you tick "Allow the selected computer to be changed when launching from the command line. This only applies if you save the console."

Let's imagine you save the console in your Windows user home directory with file name certs.msc.

The following batch script will allow you open the Certificates console on a remote machine as another user...

@echo off
set /p hostname="Enter host name: "
set /p username="Enter domain\username: "
runas /user:%username% "mmc %homepath%\certs.msc \"/computer:%hostname%\""
davmos
  • 101
  • 1
  • 1
  • 3
0

Since .msc files are for the most part XML, you can create your own certlm.msc

Step 1) Make a copy of Certmgr.msc (copy certmgr.msc certlm.msc) Step 2) open certlm.msc in the text editor of your choice (notepad certlm.msc) Step 3) Change Line 88 in the file from: -"Certificates - Current User" -to: -"Certificates - Local Computer" Step 4) Save the file

David Vawter
  • 1