Simon Jarvis - USMT XML Builder Feedback  Feedback 


CertMig Command Line Utility is a command line utility for importing and exporting all your personal Certificates from a command line prompt or administrative script.

CertMig exports all public/private keys (PFX) certificates and all user installed public certificates to a single directory. No need to know the certificate name, CertExport enumerates all user installed certificates in the certificate store and exports them to a specifed directory.

All PFX (private/public keys) certificates are exported in PKCS #12 format and optionally, public installed personal X.509 certificates can be exported in either DER encoded binary format or more the portable base64 format.

This utility is ideal for those migrating systems with EFS enabled and also simply for backing up all personal certificates to an external or network storage location to ensure your systems are safe and recoverable. No need to know which certificates to install by name or GUI, you simply export them all with either a pre-defined password or set your own password for PFX certificates.

Supported operating systems

Windows 2000 Profressional/Server
Windows XP Professional
Windows Vista (Professional/Business/Enterprise)
Windows 7 (Professional/Business/Enterprise)
Windows 2003 Server
Windows 2008 Server


CertMig.exe <options>


-e <folder> The directory the certificates are exported to.
-i <folder or filename> Import all cer and pfx certificates from a given folder. Can use wildcards
-s <store> Store is my, ca or svc (Optional, defaults to my).
-p <password> Password used to encrypt the PFX files (Optional).
-x509 Export X.509 public certificates as base64 format
-all Export all store certificates. Enumerates through the store folders and exports all store certificates. Subdirectory are created based on the certificate store folder name.

Valid Store parameters

MY (default) Current user personal certificates
CA Local machine imported certificates
SVC Local Service imported certificates

If a password is not specified then the password will be set to the hostname_filename less extension.

Example: SIMON-PC_Test.pfx password is SIMON-PC_Test

If duplicate certificates are installed on a local machine for different roles, like 1 for Code signing and 1 for EFS encryption, and both have the same display name, the backed up files will be incremented by a number enclosed in brackets at the end of the file name. The password, if not set, will still remain the base filename.

Example exporting 2 certificates on SIMON-PC host:

File1. SIMON-PC_Test Certificate.pfx - password is SIMON-PC_Test Certificate

File2. SIMON-PC_Test Certificate(1).pfx - password is SIMON-PC_Test Certificate

Note spaces are included in the password.

Exported file format


Default PFX file password (pfx files only)


If the certificate friendly name has invalid file name characters such as /\:*?"<>, they are cleared from the outputed file name only. The default password for these types of certificates will reflect the resultant filename.

Exporting certificates on a regular basis

If you utalize CertMig as an automated backup script, please ensure the password, if specified is the same during the backup process. Cert mig will not overwrite certificates unless they are identical. In respect to PFX certificates, CertMig compares installed certificates with those in the export directory. If 2 certificates are not identical but have the same certificate name, CertMig will create a copy with a different name. PFX certificates are encrypted by password so in order to perform a comparision, CertMig attempts to decrypt with either the default password or user specified (-p switch). If the password is invalid then a duplicate certificate is created.