Credential Management Utility™

Are your users comfortable managing their own PKI credentials?
  • Overview
  • Supported Applications
  • Details
  • Additional Info

About CMU

CMU lets system administrators automate the common credential management tasks that most users find extremely daunting. Custom CMU scripts can be used to:

  • facilitate PKI enrollment
  • reconfigure critical applications after key rollover
  • synchronize user credentials between web browsers
  • create secure backups of user credentials
  • transparently configure user CAPI, MAPI, Outlook S/MIME, and GAL profiles

Imagine what you'll save in help desk calls alone!

CMU scripts can be easily distributed as self-extracting/self-executing packages that users can run from your corporate web server by simply clicking on a link.

Supported Applications

CMU supports the configuration, management, and migration of credentials in and among the following applications:

  • Microsoft Internet Explorer 5.0 and above
  • Microsoft Outlook 2000, 2002, 2003, 2007, 2010, 2012 (32- and 64-bit†)
  • Microsoft Exchange 5.5 and above
  • Netscape 4.75 and above
  • Mozilla 1.1, 1.6, and above
  • Firefox 1.0 and above
  • SecretAgent 5.x, SpyProof! 1.x

†The following table indicates which cmu build is required to work with various builds of Outlook on 32- and 64-bit Windows platforms:


Windows Outlook Appropriate cmu Build
32- or 64-bit
32-bit (cmu.exe)
64-bit (cmu64.exe)
(not supported by Microsoft)

CMU function diagram

This diagram (click for higher-resolution PDF) illustrates the configuration and credential migration capabilities of the product, while the table below provides a detailed description of the available functions:

Detailed Function List

The principal functions provided by the CMU are:

configure Outlook S/MIME adds S/MIME encrypt and sign buttons to Outlook's message composition toolbar (works with Outlook 2000-2010); version 2.1 can force reconfiguration of Outlook so that Word is no longer used as the default e-mail editor
configure CAPI client authentication configures the user's CAPI store so that IE does not prompt for certificate selection during client authentication, but rather automatically provides the user's freshest signing certificate; version 2.0 allows signing certificates to be filtered by issuing CA's authorityKeyIdentifer value
POST file or string; download file from specified URL uses HTTPS to retrieve an arbitrary file from a specified web server (can be used to retrieve certificates, CRLs, or even auxiliary cmu batch scripts); latest version allows file (or literal string) to be POST'ed to the server and result captured to a file
export exports user credentials as PKCS#12 files from specified browsers to a local backup folder; descriptive file names are automatically generated to make it easy to locate a particular key pair in an emergency
import imports the specified PKCS#7, PKCS#12 and DER-encoded .cer files into the certificate stores of all supported browsers; version 2.0 supports base64-encoded as well as binary PDUs
list displays the friendly names of all PKCS#12 files in a local backup folder
configure MAPI security sets the user's freshest signing and/or encrypting certificate(s) found in CAPI as the S/MIME certificates in the user's default MAPI security profile for use with Outlook (extremely useful after key rollover); version 2.1 allows user certificates to be filtered by issuing CA's authorityKeyIdentifer value
publish to GAL publishes the user's freshest certificates to the global address list (GAL) using MAPI to automatically identify the user account and appropriate Exchange Server host; version 2.1 user allows certificates to be filtered by issuing CA's authorityKeyIdentifer value
create/update LDAP query in Outlook allows customized LDAP queries to be programmatically added to the user's "address books" in Outlook
reinitialize backs up the user's existing default Netscape databases and recreates them using the specified password (useful when a user forgets his Netscape database password)
synchronize imports into specified browsers all PKCS#12 files found in a local backup folder together with all new PKCS#7 and PKCS#12 files specified on the command line
update SecretAgent and/or SpyProof! profiles reconfigures user profiles for these ISC applications to use freshest signing and encryption certiifcates in CAPI or as speciified on the command line
write NSS directory list file allows a list of Netscape-based credential database folders to be written to a text file and reused with other commands thereby avoiding repeated database discovery searches
zap CAPI credentials removes non-self-signed, non-EFS credentials from CAPI with optional authorityKeyIdentifer filtering and confirmation prompts

A large number of options allow you to customize CMU to best fit your particular credential management needs. And ISC is always willing to add related features that we may not have already thought of. Let us know what new functions you need!

Additional Information

CMU 2.3.1 Command Line Interface Documentation (PDF updated 03/15/13)

Section 508 VPAT for CMU (PDF updated 5/15/09)

The size of the cmu executable alone is roughly 800KB. Included in the standard distribution are three optional 'tools directories' that provide support for the three different Netscape/Mozilla database architectures that have been fielded since release 4.75. Each set of optional database 'tools' adds 1-2MB to the size of the total package. Of couse, the cmu executable and any necessary 'tools' can be pulled upon demand from a shared file/application server, so the total 'footprint' on end user systems is minimal. (The cmu inspects each Netscape/Mozilla database it encounters to determine which version(s) of the tools are required. Program configuration variables can be used to specify the locations of the various tool directories if they are not in their default locations immediately underneath the cmu.exe directory.)

Brochure [PDF]
Product Support
Tabs on this page:

Microsoft Partner logo