CMU Support

  • Downloads
  • Revision History
PDF logo CMU man page (PDF) 03/31/19 Documentation on the cmu and cpf4cmu 1.0.0 command lines
download icon CMU VPAT 05/29/09

Section 508 VPAT for cmu 2.x

CMU 2.7.1

Enhancements and bug fixes; see the updated ducmentation (cmu271.pdf) for more details.

  • CMU has been updated to accept references to CSPid-compatible, DPAPI-encrypted password files in place of actual passwords; this allows the end-user to hide passwords from admins/process that can view/log command line invocations The software distribtuion package now includes a separate customizable GUI application (cpf4cmu.exe) that can create Windows DPAPI-protected files.
  • #6625 Changed the semantics of -k and -p arguments: if either starts with "file:," the rest of the string is treated as the pathname of an encrypted password file that will be decrypted using the Windows DPAPI.
  • d: the -w string argument may now contain replaceable parameters that are successively read out of one or more DPAPI-encrypted files. For example, the command:

      cmu d -w "p12pin1=%1&p12pin2=%2" f1.bin f2.bin output.der

    will cause the contents of f1.bin and f2.bin to be read from disk, decrypted, and substituted into the string to be posted as if it were

      "p12pin1=<plaintext from f1.bin>&p12pin2=<plaintext from f2.bin>"

    Only single digit replacement parameters (%[1..9]) are supported but they need not be referenced sequentially. There must be at least as many files specified on the command line as are referenced by the different replaceable parameters, but not all need be used. The final command line argument must be the output file specification.
  • #6877 The NSS database operations will now attempt to act on all NSS databases in the specified user profiles rather than on just the first database found in each directory
  • #6848 The c operation's -v switch now displays the common name in the certificate chosen for client authentication
  • #6720 Removed references to old versions of Windows and Outlook from the documentation
  • #6648 The c operation will now skip certificates with an EKU extension but without EKU extended properties in the attempt to avoid removing certain key usage settings from certificates not chosen for client authentication
  • #6540 The m operation's --profile switch is no longer logged as p12pwd in the logfile
  • #6539 The m operation's -D option no longer displays the signing certificate information in the encryption certificate section
  • #6282 The man page documentation for the u operation now properly lists Adobe Acrobat
  • #6281 Corrected an error in the documentation's description of the -A switch
  • #6185 Added the -TT switch to the man page documentation
CMU 2.7.0
  • Updated to support new Mozilla/Firefox key and database formats introduced with Firefox 60.3.0 ESR and Firefox 58
CMU 2.6.1
  • #6762 The Firefox initialize command now supports the -C option. When -C is present, a copy of the user's current databases will not be created
CMU 2.6.0
  • #6187 Modified the -i option to accept an issuer DN instead of just an AKID
  • #6713 PKCS#12 files output by CMU now use 3DES exclusively when encrypting certificate bags. CMU now supports AES (-aes128, -aes192, -aes256) as an option when encrypting private key bags (the default is 3DES)
CMU 2.5.2
  • The CMU 'c' operation now supports a -E option that will remove the Client Authentication and Secure Email purposes on all encryption certificates and all signing certificates other than the one selected as the most recently issued.
CMU 2.5.1
  • i: now supports importing CRL files
  • e: now supports the -i option to filter by issuer ID
  • e: now supports -S to export only the freshest signing key pair
  • e: now supports -E to export only the freshest encrytion key pair.
CMU 2.5.0
  • p: if the user's Outlook profile is configured with more than one email account, the account marked "default" is used
  • support added to set the default signing certificate in Adobe Acrobat and Reader, versions 10, 11, and DC
  • support for Windows XP has been dropped
CMU 2.3.2
  • c: no longer modifies the client authentication flag for certificates that aren't sign capable
CMU 2.3.1
  • m: added AES256 to S/MIME capabilities list when configuring user's MAPI security profile
  • q: added support for the specification of a custom search base option when creating LDAP queries for Outlook 2007/2010
  • i: added support for the importing of .cer files into Mozilla apps
  • z: added command to erase CAPI credentials
  • numerous bug fixes
CMU 2.1.0
  • Workaround: If 'cmu -i' fails to import multiple PKCS#12 files into Firefox, just split the command line into multiple calls each of which imports a single PKCS#12 file. This seems to fix the '1704 error' that may occur with mutliple files in a single invocation.
  • fixed the following bugs in 2.0.0:
    ID      Summary
    3782    i: crashes on .p12 import
    3783    i: mport fails to parse attached b64 certs
    3785    s: synchronization is aborted on first error
    3786    e: export fails if certificate has unicode CN
    3787    e: export stops on first failure
    3788    d: crash results if protocol is not specified in URL
    3789    error return codes not written to screen or log file upon exit
    3795    -h usage string failed to document new -i switch
    3853    m -Di: returns 0 even if supplied akid doesn't match configured certs in
    3919    NSS password parsing anomaly
    3925    d: cmu fails to detect error response from server
    3927    s -N: behaves strangely when importing certs into Netscape 7.2
    3928    p, m: 'freshest cert' test using wrong dates?
    4102    i -N: use of invalid p12 password results in wrong error code
    4103    i -N: use of invalid db password results in wrong error code
CMU 2.0.0
  • simplified command line syntax allows only one function per invocation, but provides much better error reporting
  • added capability to filter freshest end-user certificates by issuing CAs authorityKeyIdentifier value when configuring TLS client authentication in CAPI
  • added 'u' function to update SecretAgent and/or SpyProof! profiles with freshest signing and encryption certificates
  • added support for transparently handling base64-encoded certificate and PKCS#7 files; fixed some PKCS#12 parsing issues
  • removed '-C' option -- CAPI operations are now the default; use the '-N' switch to ignore CAPI and perform all operations on/using Netscape databases
Current release:
  • {version}