Windows certificate stores

​So, I was curious where exactly certificates and their corresponding private keys are stored on a Windows machine. Did a bit of research, and the picture is somewhat clear, however there is a lot of info on the topic and some points don’t seem to correspond to the actual situation on my Windows 8 machine.

Let’s start by the basics, the Certificates MMC console, easily launched by certmgr.msc. It gives us the first hint where certificates are stored, by allowing us to view the Physical certificate stores:

122516 1141 Windowscert1

As you can see, there are several stores: the Registry, the Local Computer (hard drive), Smart Card. There are also some not shown in the picture: the Enterprise store, the Group Policy store, the Third-Party store. When using a AD CA, there are also some containers under the Configuration partition, but let’s ignore those.

If we actually go to MMC and add the certificates snap-in, we have some more choices for the account. They correspond to a normal user account, service account or the computer account. So all of those stores listed above have their corresponding location for each account. Let’s start with the Registry store:

  • HKEY_Current_User\Software\Microsoft\SystemCertificates contains registry settings for the current user. Those can include the BLOB (Binary Large object) and various settings for the certificate, as well as settings related to the CA certificates that support the user certificates.
  • HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates contains the same info, but for certificates distributed via Group Policy.
  • HKEY_Users\User SID\Software\Microsoft\SystemCertificates contains this info for the corresponding user
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates contains this info for the corresponding service account
  • HKEY_Local_Machine\Software\Microsoft\SystemCertificates contain the info for the computer account
  • HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates contains the same, but for GP distributed certificates for the computer account
  • HKEY_Local_Machine\Software\Microsoft\EnterpriseCertificates contains info about the AD published certificates

More info about the above can be found in these articles on MSDN and TechNet.

Now, some stuff is actually stored on the local hard drive. Under file:\%APPDATA%\Microsoft\SystemCertificates\MyCertificates you will find all your personal certificates. Looking at the picture above and all the info I’ve seen over the internet, those should be stored in the registry. Well, at least on my Windows 8 machine this is NOT the case, and all the certificates that are listed under Personal in certmgr.msc can be found in this folder. The corresponding private keys are in C:\Users\XXXX\AppData\Roaming\Microsoft\Crypto\RSA\S-I-D. Other directories worth noting are the C:\Users\XXXX\AppData\Roaming\Microsoft\Credentials one and the C:\Users\XXXX\AppData\Roaming\Microsoft\Protect\S-I-D one.

For the computer account, certificates are indeed stored in the registry, in the keys detailed above. The corresponding private keys are stored encrypted in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys and similarly for the others.

You can use some other tools to work with the certificate stores. The certutil tool has some uses, for example you can view all the personal certificates for the current user with:

certutil -user -viewstore My

If you simply want to dump all the information in the console, you can use:

certutil -user -store My

To do the same for the computer account, simply drop the ‘-user’ parameter:

certutil -store My or certutil -viewstore My

A lot more options are available, feel free to explore more here.

For the PowerShell lovers, the Cert: drive can provide most of the needed information. Here are some uses:

PS C:> cd Cert:; dir

Location   : CurrentUser
StoreNames : {SmartCardRoot, Root, Trust, AuthRoot...}

Location   : LocalMachine
StoreNames : {TrustedPublisher, ClientAuthIssuer, Remote Desktop, Root...}

To list all the certificates in the ‘Personal’ store for the current user, use:

PS Cert:> dir Cert:CurrentUserMy

Directory: Microsoft.PowerShell.SecurityCertificate::CurrentUserMy
Thumbprint                                Subject
----------                                -------
A7620E9F2EA346FF002AECA5EEBE364892E70D74  CN=6DB6031A-EB7C-4DD8-8CD6-D238A787B8F8
7B5159CEDAF7DDA18090BBC78CA607213235823F, CN=Vasil Lyubenov Michev, OU=VPN-WEB-H, O=Hewlett-Packard Company
249BA6C5CA7DC641A07287EA2B2AA9B361A4C56E  CN=Vasil

To get all the details for a particular certificate, you can use:

PS Cert:> dir Cert:CurrentUserMy106796B4130A9AE14BF38C7CE553353204613796 | fl *

And there is of course much more that you can do with PowerShell, make sure to check out this article.

There are unfortunately some discrepancies between the store names in different tools, so you need to be careful. I’m too lazy to make a good table for all the relevant ones, but a sample is available for example here.

7 thoughts on “Windows certificate stores

  1. Swaminathan Shanmugam says:

    Thank you very much for your valuable information about Certificates
    Swaminathan Shanmugam

  2. Nathan Ricker says:

    Thank you very much to the writer for the detailed analysis and step-by-step instructions.

  3. Beto says:

    Hi Vasil,

    Thanks, that is useful.
    Question is are these files in “%APPDATA%\Microsoft\SystemCertificates\My\Certificates” usable? As they have no extension, I can only guess. Have tryed to rename to popular certificate extensions, but no luck.
    Any advise?

  4. Kevin says:

    “And there is of course much more that you can do with PowerShell, make sure to check out this article.” – that article is 404


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.