Difference between revisions of "Key Store"

From MgmtWiki
Jump to: navigation, search
(Windows)
(Windows)
Line 5: Line 5:
 
* [https://stackoverflow.com/questions/59690224/use-rsacng-to-signdata-thats-compatible-with-rsacryptoserviceprovider Steps to follow to get a CAPI key moved to a CNG Key Storage Provider.]
 
* [https://stackoverflow.com/questions/59690224/use-rsacng-to-signdata-thats-compatible-with-rsacryptoserviceprovider Steps to follow to get a CAPI key moved to a CNG Key Storage Provider.]
 
* The best description of the storage locations at Microsoft comes from the Hardware signing team [https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores Local Machine and Current User Certificate Stores.] Which also notes that "all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores."
 
* The best description of the storage locations at Microsoft comes from the Hardware signing team [https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores Local Machine and Current User Certificate Stores.] Which also notes that "all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores."
 +
* Note that some user virtual accounts, like the one used for IIS web sites do not have a "user account" on windows and so cannot store certificates in the "Current User" registry as it does not exist.
 
*The inherited tool from AD [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil certutil] is the most extensive set of capabilities for manipulating certificates from Microsoft.
 
*The inherited tool from AD [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil certutil] is the most extensive set of capabilities for manipulating certificates from Microsoft.
 
* [https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server Permissions to Support Management Server or Streaming Server] contains a description of the use of WinHttpCertCfg.exe tool.
 
* [https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server Permissions to Support Management Server or Streaming Server] contains a description of the use of WinHttpCertCfg.exe tool.

Revision as of 08:00, 31 July 2020

Full Title or Meme

Where Keys, Certificates and Bindings can be found on each Operating system.

Windows

The original Windows CAPI (Crypto API) was built on RSA supplied code by the AD team and treated certificates as the primary objects. Keys were depended from Certificates which were stored in the Windows Registry under either the Local Machine (HKLM) or or Current User (HKCU) branch. While the focus on Keys over Certificates changed with the CNG (Crypto Next Generation) code base and Key Store Objects appeared, the certificate language remained.

Physical Logical store Description of Contents
My Personal certificates associated with a private key controlled by the user or computer.
Root Trusted Root Certification Authorities certificates from implicitly trusted certification authorities (CAs).
 ?? Enterprise Trust certificate trust lists typically used to trust self-signed certificates from other organizations.
CA Intermediate Certification Authorities certificates issued to subordinate CAs in the certification hierarchy.
 ?? Active Directory User Object the user object certificate or certificates published in Active Directory.
TrustedPublisher Trusted Publishers certificates from trusted CAs.
 ?? Untrusted Certificates certificates that have been explicitly identified as untrusted.
Root Third-Party Root Certification Authorities trusted root certificates from CAs outside the internal certificate hierarchy.
TrustedPeople Trusted People certificates issued to users or entities that have been explicitly trusted.
ADDRESSBOOK Other People certificates issued to users or entities that have been implicitly trusted.
REQUEST Certificate Enrollment Requests pending or rejected certificate requests.
FlightRoot Preview Build Roots
TestSignRoot Test Roots
eSIM Certification Authorities eSIM Certification Authorities
Homegroup Machine Certificates Homegroup Machine Certificates
Remote Desktop Remote Desktop
SmartCardRoot Smart Card Trusted Roots
SMS SMS
TrustedAppRoot Trusted Packaged App Installation Authorities
TrustedDevices Trusted Devices
WebHosting Web Hosting
WHSKeys WHSKeys
Windows Live ID Token Issuer Windows Live ID Token Issuer
Windows Web Management Windows Web Management
ClientAuthIssuer N/A
MSIEHistoryJournal N/A
Trust N/A

Java

Android adopted the Java Key Store along with their original use of the Java programming language before it was acquired by Oracle.

Apple

Linux

Even more chaotic than Windows. Good luck trying to made any sense of all the different varieties.

The open source tool OpenSSL is perhaps the most generally useful tool for converting among the many different formats that have arisen over the years.

References