Difference between revisions of "Key Store"
From MgmtWiki
(→Windows) |
(→Apple) |
||
| (20 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | ==Full Title or Meme | + | ==Full Title or Meme== |
Where Keys, Certificates and Bindings can be found on each Operating system. | Where Keys, Certificates and Bindings can be found on each Operating system. | ||
==Windows== | ==Windows== | ||
| − | The original Windows Crypto API was | + | The original Windows CAPI (Crypto API) was built on RSA supplied code by the AD team and treated certificates as the primary objects. Keys were depended from Certificates which were stored in the Windows Registry under either the Local Machine (HKLM) or or Current User (HKCU) branch. While the focus on Keys over Certificates changed with the CNG (Crypto Next Generation) code base and Key Store Objects appeared, the certificate language remained. |
| + | * [https://stackoverflow.com/questions/59690224/use-rsacng-to-signdata-thats-compatible-with-rsacryptoserviceprovider Steps to follow to get a CAPI key moved to a CNG Key Storage Provider.] | ||
| + | * The best description of the storage locations at Microsoft comes from the Hardware signing team [https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores Local Machine and Current User Certificate Stores.] Which also notes that "all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores." | ||
| + | * Note that some user virtual accounts, like the one used for IIS web sites, do not have a "user account" on windows and so cannot store certificates in the "Current User" registry as it does not exist. | ||
| + | *The inherited tool from AD [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil certutil] is the most extensive set of capabilities for manipulating certificates from Microsoft. But its functionality is oriented to Windows AD and so is missing some of the functionality of OpenSSL. | ||
| + | * [https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server Permissions to Support Management Server or Streaming Server] contains a description of the use of WinHttpCertCfg.exe tool. That tool is oriented to device driver signing as, as a result, has its own idiosyncrasies and limitations. | ||
| + | * The documentation of [https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores WinHttpCertCfg.exe, a Certificate Configuration Tool] gives the official description of the use of that tool. | ||
{|border="1" padding="2" width="799px" | {|border="1" padding="2" width="799px" | ||
| − | |Physical||Logical store || Description | + | |Physical||Logical store || Description of Contents |
|- | |- | ||
| My ||Personal || certificates associated with a private key controlled by the user or computer. | | My ||Personal || certificates associated with a private key controlled by the user or computer. | ||
| Line 12: | Line 18: | ||
| ?? ||Enterprise Trust || certificate trust lists typically used to trust self-signed certificates from other organizations. | | ?? ||Enterprise Trust || certificate trust lists typically used to trust self-signed certificates from other organizations. | ||
|- | |- | ||
| − | |CA ||Intermediate Certification Authorities | + | |CA ||Intermediate Certification Authorities || certificates issued to subordinate CAs in the certification hierarchy. |
|- | |- | ||
| ?? ||Active Directory User Object || the user object certificate or certificates published in Active Directory. | | ?? ||Active Directory User Object || the user object certificate or certificates published in Active Directory. | ||
| Line 24: | Line 30: | ||
| TrustedPeople ||Trusted People || certificates issued to users or entities that have been explicitly trusted. | | TrustedPeople ||Trusted People || certificates issued to users or entities that have been explicitly trusted. | ||
|- | |- | ||
| − | | ADDRESSBOOK ||Other People || | + | | ADDRESSBOOK ||Other People || certificates issued to users or entities that have been implicitly trusted. |
|- | |- | ||
| REQUEST ||Certificate Enrollment Requests || pending or rejected certificate requests. | | REQUEST ||Certificate Enrollment Requests || pending or rejected certificate requests. | ||
| Line 40: | Line 46: | ||
| SmartCardRoot || Smart Card Trusted Roots || | | SmartCardRoot || Smart Card Trusted Roots || | ||
|- | |- | ||
| − | | SMS || SMS || | + | | SMS || SMS || [https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/ SMS is easy to hijack] and should not be used for security purposes. |
|- | |- | ||
| TrustedAppRoot || Trusted Packaged App Installation Authorities || | | TrustedAppRoot || Trusted Packaged App Installation Authorities || | ||
| Line 62: | Line 68: | ||
==Java== | ==Java== | ||
| + | Android adopted the Java Key Store along with their original use of the Java programming language before it was acquired by Oracle. | ||
| + | |||
==Apple== | ==Apple== | ||
| + | Apple calls this a Keychain. The metaphor is the chain on which one puts physical keys to keep them together. | ||
| + | * [https://discussions.apple.com/thread/4376377 How to clear Safari SSL client certificate cache?] 2014-05-01 I found it by typing part of the domain name into the search box of Keychain, and it shows up a Kind called "Identity Preference". | ||
| + | |||
| + | ==Linux== | ||
| + | Even more chaotic than Windows. Good luck trying to make any sense of all the different varieties. | ||
| + | |||
| + | The open source tool OpenSSL is perhaps the most generally useful tool for converting among the many different formats that have arisen over the years. | ||
| + | |||
==References== | ==References== | ||
| + | |||
| + | [[Category:Security]] | ||
Revision as of 11:12, 23 March 2021
Full Title or Meme
Where Keys, Certificates and Bindings can be found on each Operating system.
Windows
The original Windows CAPI (Crypto API) was built on RSA supplied code by the AD team and treated certificates as the primary objects. Keys were depended from Certificates which were stored in the Windows Registry under either the Local Machine (HKLM) or or Current User (HKCU) branch. While the focus on Keys over Certificates changed with the CNG (Crypto Next Generation) code base and Key Store Objects appeared, the certificate language remained.
- Steps to follow to get a CAPI key moved to a CNG Key Storage Provider.
- The best description of the storage locations at Microsoft comes from the Hardware signing team Local Machine and Current User Certificate Stores. Which also notes that "all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores."
- Note that some user virtual accounts, like the one used for IIS web sites, do not have a "user account" on windows and so cannot store certificates in the "Current User" registry as it does not exist.
- The inherited tool from AD certutil is the most extensive set of capabilities for manipulating certificates from Microsoft. But its functionality is oriented to Windows AD and so is missing some of the functionality of OpenSSL.
- Permissions to Support Management Server or Streaming Server contains a description of the use of WinHttpCertCfg.exe tool. That tool is oriented to device driver signing as, as a result, has its own idiosyncrasies and limitations.
- The documentation of WinHttpCertCfg.exe, a Certificate Configuration Tool gives the official description of the use of that tool.
| Physical | Logical store | Description of Contents |
| My | Personal | certificates associated with a private key controlled by the user or computer. |
| Root | Trusted Root Certification Authorities | certificates from implicitly trusted certification authorities (CAs). |
| ?? | Enterprise Trust | certificate trust lists typically used to trust self-signed certificates from other organizations. |
| CA | Intermediate Certification Authorities | certificates issued to subordinate CAs in the certification hierarchy. |
| ?? | Active Directory User Object | the user object certificate or certificates published in Active Directory. |
| TrustedPublisher | Trusted Publishers | certificates from trusted CAs. |
| ?? | Untrusted Certificates | certificates that have been explicitly identified as untrusted. |
| Root | Third-Party Root Certification Authorities | trusted root certificates from CAs outside the internal certificate hierarchy. |
| TrustedPeople | Trusted People | certificates issued to users or entities that have been explicitly trusted. |
| ADDRESSBOOK | Other People | certificates issued to users or entities that have been implicitly trusted. |
| REQUEST | Certificate Enrollment Requests | pending or rejected certificate requests. |
| FlightRoot | Preview Build Roots | |
| TestSignRoot | Test Roots | |
| eSIM Certification Authorities | eSIM Certification Authorities | |
| Homegroup Machine Certificates | Homegroup Machine Certificates | |
| Remote Desktop | Remote Desktop | |
| SmartCardRoot | Smart Card Trusted Roots | |
| SMS | SMS | SMS is easy to hijack and should not be used for security purposes. |
| TrustedAppRoot | Trusted Packaged App Installation Authorities | |
| TrustedDevices | Trusted Devices | |
| WebHosting | Web Hosting | |
| WHSKeys | WHSKeys | |
| Windows Live ID Token Issuer | Windows Live ID Token Issuer | |
| Windows Web Management | Windows Web Management | |
| ClientAuthIssuer | N/A | |
| MSIEHistoryJournal | N/A | |
| Trust | N/A |
Java
Android adopted the Java Key Store along with their original use of the Java programming language before it was acquired by Oracle.
Apple
Apple calls this a Keychain. The metaphor is the chain on which one puts physical keys to keep them together.
- How to clear Safari SSL client certificate cache? 2014-05-01 I found it by typing part of the domain name into the search box of Keychain, and it shows up a Kind called "Identity Preference".
Linux
Even more chaotic than Windows. Good luck trying to make any sense of all the different varieties.
The open source tool OpenSSL is perhaps the most generally useful tool for converting among the many different formats that have arisen over the years.
