Credential Management Utility™

Are your users comfortable managing their own PKI credentials?
  • Overview
  • Supported Applications
  • Details
  • Additional Info

About CMU

CMU lets system administrators automate the common credential management tasks that most users find extremely daunting. Custom CMU scripts can be used to:

  • facilitate PKI enrollment
  • reconfigure critical applications after key rollover
  • synchronize user credentials between web browsers
  • create secure backups of user credentials
  • transparently configure user CAPI, MAPI, Acrobat, Outlook S/MIME, and GAL profiles

Imagine what you'll save in help desk calls alone!

CMU scripts can be easily distributed as self-extracting/self-executing packages that users can run from your corporate web server by simply clicking on a link.

New! CMU 2.7.1 supports the substitution of references to CSPid-compatible, DPAPI-encrypted password files in place of explicit passwords in all appropriate command line arguments. This allows users to hide their passwords from any administrator/system process that can monitor/log their command line invocations. (Similar enhanced functionality is provided for authenticated HTTPS downloads using the 'cmu d' operation via the support of up to nine independent POST/GET parameters that are replaced at runtime by the contents of Windows DPAPI-protected files.)

Included in the latest release is a stand-alone customizable GUI application (cpf4cmu) that may be distributed to end-users for the purpose of creating suitable DPAPI-protected ciphertext files; no CSPid license is required.

Supported Applications

CMU supports the configuration, management, and migration of credentials in and among the following applications:

  • Adobe Acrobat
  • Firefox/Thunderbird 1.0 and above
  • Microsoft Internet Explorer 5.0 and above
  • Microsoft Outlook 2013/2016/2019 and Office 365 (32- and 64-bit†)
  • Microsoft Exchange 2010 and above
  • Mozilla 1.1, 1.6, and above

†The following table indicates which cmu build is required to work with various builds of Outlook on 32- and 64-bit Windows platforms:


Windows Outlook Appropriate cmu Build
32- or 64-bit
32-bit (cmu.exe)
64-bit (cmu64.exe)
(not supported by Microsoft)

CMU function diagram

This diagram (click for higher-resolution PDF) illustrates the configuration and credential migration capabilities of the product, while the table below provides a detailed description of the available functions:

Detailed Function List

The principal functions provided by CMU are:

configure Outlook S/MIME adds S/MIME encrypt and sign buttons to Outlook's message composition toolbar (works with Outlook 2000-2010); version 2.1 can force reconfiguration of Outlook so that Word is no longer used as the default e-mail editor
configure CAPI client authentication configures the user's CAPI store so that IE does not prompt for certificate selection during client authentication, but rather automatically provides the user's freshest signing certificate; version 2.0 allows signing certificates to be filtered by issuing CA's authorityKeyIdentifer value
POST file or string; download file from specified URL uses HTTPS to retrieve an arbitrary file from a specified web server (can be used to retrieve certificates, PKCS#12 files, CRLs, or even auxiliary cmu batch scripts); the latest version allows the string being posted to the server to contain up to nine tokens that are replaced at runtime with the plaintext contents of specified DPAPI-encrypted files (created with the 'g' function, the auxiliary interactive cpf4cmu.exe utility, or with CSPid)
export exports user credentials as PKCS#12 files from specified browsers to a local backup folder; descriptive file names are automatically generated to make it easy to locate a particular key pair in an emergency
generate generates a 16-byte pseudorandom ephemeral key, encrypts its encoding as a 32-octet string of hex digits under the Windows DPAPI, and stores the ciphertext in a specified file; this file, when supplied as an argument to a subsequent 'cmu d' operation, is read into memory and decrypted... then the plaintext hex representation of the ephermeral key is substituted into the '-w' argument in place of a token of the form '%d' (here 'd' is an integer in the range 1..9 corresponding to the file's position in the command's list of file arguments)... in this way ephemeral keys may be created and utilized by cmu (say, as PKCS#12 passwords) without exposing them to processes that may be able to capture the cmu command line
import imports the specified PKCS#7, PKCS#12 and DER-encoded .cer files into the certificate stores of all supported browsers; version 2.0 supports base64-encoded as well as binary PDUs
list displays the friendly names of all PKCS#12 files in a local backup folder
configure MAPI security sets the user's freshest signing and/or encrypting certificate(s) found in CAPI as the S/MIME certificates in the user's default MAPI security profile for use with Outlook (extremely useful after key rollover); version 2.1 allows user certificates to be filtered by issuing CA's authorityKeyIdentifer value
publish to GAL publishes the user's freshest certificates to the global address list (GAL) using MAPI to automatically identify the user account and appropriate Exchange Server host; version 2.1 user allows certificates to be filtered by issuing CA's authorityKeyIdentifer value
create/update LDAP query in Outlook allows customized LDAP queries to be programmatically added to the user's "address books" in Outlook
reinitialize backs up the user's existing default Netscape databases and recreates them using the specified password (useful when a user forgets his Netscape database password)
synchronize imports into specified browsers all PKCS#12 files found in a local backup folder together with all new PKCS#7 and PKCS#12 files specified on the command line
update Acrobat profile reconfigures user profile for Acrobat to use freshest signing certiifcate in CAPI or as speciified on the command line
write NSS directory list file allows a list of Netscape-based credential database folders to be written to a text file and reused with other commands thereby avoiding repeated database discovery searches
zap CAPI credentials removes non-self-signed, non-EFS credentials from CAPI with optional authorityKeyIdentifer filtering and confirmation prompts

A large number of options allow you to customize CMU to best fit your particular credential management needs. And ISC is always willing to add related features that we may not have already thought of. Let us know what new functions you need!

Additional Information

CMU command line interface documentation

Section 508 VPAT for CMU

The size of the cmu executable alone is roughly 800KB. Included in the standard distribution are three optional 'tools directories' that provide support for the three different Netscape/Mozilla database architectures that have been fielded since release 4.75. Each set of optional database 'tools' adds 1-2MB to the size of the total package. Of couse, the cmu executable and any necessary 'tools' can be pulled upon demand from a shared file/application server, so the total 'footprint' on end user systems is minimal. (The cmu inspects each Netscape/Mozilla database it encounters to determine which version(s) of the tools are required. Program configuration variables can be used to specify the locations of the various tool directories if they are not in their default locations immediately underneath the cmu.exe directory.)

Brochure [PDF]
Product Support
Tabs on this page:

Microsoft Partner logo