Windows Certificates - where is private key located?

Question

In Windows 10:

When I load a certficate into the "Current User" store, it puts a private key file here:

C:\Users\[userID-A]\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-xxx\pkfileqreflr8029r...

When I load a certficate into the "Local Machine" store using a different UserID-B, I don't see this path at all:

C:\Users\[userID-B]\AppData\Roaming\Microsoft\Crypto ... there is no \Crypto folder created.

Does anyone know where the private key is stored when a pfx file is used to import a cert into the Local Machine store? Thanks.

Esa Jokinen · Accepted Answer · 2020-07-10T16:06:58.613

5

The locations are listed in Microsoft Docs on Key Storage and Retrieval.

For Local system private the locations are:

The Microsoft legacy CryptoAPI CSPs store private keys in:

%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-18\
%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\DSS\S-1-5-18\

CNG stores private keys in:

%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\SystemKeys

In practice they are by default under C:\ProgramData\Microsoft\Crypto\ on Windows 10.

edited Jul 10 '20 at 16:06

answered Jul 10 '20 at 14:03

Esa Jokinen

Thanks. For me, %ALLUSERSPROFILE% maps to c:\ProgramData. The full path looks a little different but gets me to the correct area: c:\ProgramData\Microsoft\Crypto\RSA\... – nanonerd Jul 10 '20 at 14:18

1 Answers1