What are the Windows system certificate stores?

31

6

When adding certificates, stls, ctls and crls to the system, I can choose the certificate store.

I have found only references to the "my" and "root" stores so far.

Are there any other?

Jader Dias

Posted 2010-12-02T19:52:34.220

Reputation: 13 660

What is "stls", "ctls" and "crls" (in this context)? – Peter Mortensen – 2017-02-22T17:45:56.583

Answers

38

There are three types of certificate stores in Windows.

  1. User Account store
  2. Service Account store
  3. Local Computer store

Each of the three stores contain a number of folders which certificates go into

  • Personal (can be known as My when using scripts to add certs)
  • Trusted Root Certification Authority (can be known as Root)
  • Enterprise Trust
  • Intermediate Certification Authority
  • Active Directory User Object
  • Trusted Publishers
  • Untrusted Certificates
  • Third Party Root Certification Authorities
  • Trusted People

These can be seen if you open up an mmc.exe with the Certificates snapin.

Depending on what the certificate is meant to be doing you have to work out where it would go.

Most of the time on the servers we support we use the Computer Account store (as its accessible by all users on a Computer) and put certificates in the Personal store. Some times you might need to add in the signing authority public key certs into the Root and Intermediate Root CAs.

daed

Posted 2010-12-02T19:52:34.220

Reputation: 521

Where the STL (Silent Trusted Root Authority) go? Which store and folder? – Jader Dias – 2010-12-16T15:37:10.343

I guess "my" is an alias to the current user account store, and "root" is na alias to the machine store, right? – Jader Dias – 2010-12-16T15:38:26.160

Not quite...each of the stores has a Personal folder (in some of the scripts I've messed with they've been referenced like this CU\My (Current User) or LM\My (Local Machine) ). – daed – 2010-12-16T19:45:16.867

As for your Silent Trusted Root Authority, I've not heard of that term before.... – daed – 2010-12-16T19:45:43.760

2In Windows 7 they introduced another standard store named "Other People" (internally known as AddressBook) which contain certificates from people that send you Signed emails/documents... The problem is that this store must be manually added to systems running older versions of Windows (Windows Server 2008 R2, for instance) do that apps that rely on it can work properly. – Monoman – 2012-03-30T11:45:38.333

24

Certificate store names are as follows (source):

  • AddressBook: Certificate store for other people and resources.
  • AuthRoot: Certificate store for third-party certification authorities (CAs).
  • CertificationAuthority: Certificate store for intermediate certification authorities (CAs).
  • Disallowed: Certificate store for certificates that have been revoked so they aren't forgotten.
  • My: Certificate store for your personal certificates that you use and is where most custom certificates.
  • Root: Certificate store for certificate authorities (CA) that you trust.
  • TrustedPeople: Certificate store for other people and resources that you trust.
  • TrustedPublisher: Certificate store for application publishers that you trust.

harrymc

Posted 2010-12-02T19:52:34.220

Reputation: 306 093

Asked: 2010-12-02T19:52:34.220

Viewed: 70 034 times

Active: 2017-02-22T17:48:21.880