What are the Windows system certificate stores?
There are three types of certificate stores in Windows.
- User Account store
- Service Account store
- Local Computer store
Each of the three stores contain a number of folders which certificates go into
- Personal (can be known as My when using scripts to add certs)
- Trusted Root Certification Authority (can be known as Root)
- Enterprise Trust
- Intermediate Certification Authority
- Active Directory User Object
- Trusted Publishers
- Untrusted Certificates
- Third Party Root Certification Authorities
- Trusted People
These can be seen if you open up an mmc.exe with the Certificates snapin.
Depending on what the certificate is meant to be doing you have to work out where it would go.
Most of the time on the servers we support we use the Computer Account store (as its accessible by all users on a Computer) and put certificates in the Personal store. Some times you might need to add in the signing authority public key certs into the Root and Intermediate Root CAs.
Certificate store names are as follows (source):
- AddressBook: Certificate store for other people and resources.
- AuthRoot: Certificate store for third-party certification authorities (CAs).
- CertificationAuthority: Certificate store for intermediate certification authorities (CAs).
- Disallowed: Certificate store for certificates that have been revoked so they aren't forgotten.
- My: Certificate store for your personal certificates that you use and is where most custom certificates.
- Root: Certificate store for certificate authorities (CA) that you trust.
- TrustedPeople: Certificate store for other people and resources that you trust.
- TrustedPublisher: Certificate store for application publishers that you trust.