Full Title or Meme
Where Keys, Certificates and Bindings can be found on each Operating system.
The original Windows CAPI (Crypto API) was built on RSA supplied code by the AD team and treated certificates as the primary objects. Keys were depended from Certificates which were stored in the Windows Registry under either the Local Machine (HKLM) or or Current User (HKCU) branch. While the focus on Keys over Certificates changed with the CNG (Crypto Next Generation) code base and Key Store Objects appeared, the certificate language remained.
- The best description of the storage locations at Microsoft comes from the Hardware signing team Local Machine and Current User Certificate Stores. Which also notes that "all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores."
- The inherited tool from AD certutil is the most extensive set of capabilities for manipulating certificates.
- Permissions to Support Management Server or Streaming Server contains a description of the use of WinHttpCertCfg.exe tool.
- WinHttpCertCfg.exe, a Certificate Configuration Tool give the official description of the use of that tool.
|Physical||Logical store||Description of Contents|
|My||Personal||certificates associated with a private key controlled by the user or computer.|
|Root||Trusted Root Certification Authorities||certificates from implicitly trusted certification authorities (CAs).|
|??||Enterprise Trust||certificate trust lists typically used to trust self-signed certificates from other organizations.|
|CA||Intermediate Certification Authorities||certificates issued to subordinate CAs in the certification hierarchy.|
|??||Active Directory User Object||the user object certificate or certificates published in Active Directory.|
|TrustedPublisher||Trusted Publishers||certificates from trusted CAs.|
|??||Untrusted Certificates||certificates that have been explicitly identified as untrusted.|
|Root||Third-Party Root Certification Authorities||trusted root certificates from CAs outside the internal certificate hierarchy.|
|TrustedPeople||Trusted People||certificates issued to users or entities that have been explicitly trusted.|
|ADDRESSBOOK||Other People||certificates issued to users or entities that have been implicitly trusted.|
|REQUEST||Certificate Enrollment Requests||pending or rejected certificate requests.|
|FlightRoot||Preview Build Roots|
|eSIM Certification Authorities||eSIM Certification Authorities|
|Homegroup Machine Certificates||Homegroup Machine Certificates|
|Remote Desktop||Remote Desktop|
|SmartCardRoot||Smart Card Trusted Roots|
|TrustedAppRoot||Trusted Packaged App Installation Authorities|
|Windows Live ID Token Issuer||Windows Live ID Token Issuer|
|Windows Web Management||Windows Web Management|