Where are certificate private keys stored in Windows 7?

12

3

Using the certmgr.msc utility, I can access the windows cert store, but I still can't figure out where Windows stores the private keys.

For example for a given certificate, Windows tells me that there is a private key associated with this certificate. But where I can I physically find it ?

TheByeByeMan

Posted 2016-04-05T08:14:37.790

Reputation: 223

Answers

14

The keys are stored via Microsoft's Cryptography API: Next Generation (CNG).

Storage locations:

  • User private:
    %APPDATA%\Microsoft\Crypto\Keys
  • Local system private:
    %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\SystemKeys
  • Local service private:
    %WINDIR%\ServiceProfiles\LocalService
  • Network service private:
    %WINDIR%\ServiceProfiles\NetworkService
  • Shared private:
    %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys

Description:

CNG provides a model for private key storage that allows adapting to the current and future demands of creating applications that use cryptography features such as public or private key encryption, as well as the demands of the storage of key material. The key storage router is the central routine in this model and is implemented in Ncrypt.dll. An application accesses the key storage providers (KSPs) on the system through the key storage router, which conceals details, such as key isolation, from both the application and the storage provider itself. The following illustration shows the design and function of the CNG key isolation architecture.
Key Storage Architecture
Source

Note:

As noted by Tim G, the keys are not readable at file level because they are encrypted in the process of storing them via the CNG API.

hub

Posted 2016-04-05T08:14:37.790

Reputation: 461

4These key locations are correct, but I have one point of emphasis/clarity: Windows Key isolation services obscure the keys, so they are not readable at the user or Administrator level from within the operating system as-is. (They are visible as files in Explorer, but you couldn't dump their true contents in a hex viewer or as ugly ASCII in notepad -- it would still be ugly ASCII, just not the true representation like in Unixoid systems.) – Tim G – 2016-04-05T10:18:10.187

@TimG Can you point me at any documentation which describes that obscuration? (I realize it's a bit late, but I can hope...) – Martin Bonner supports Monica – 2018-08-03T14:07:10.410

Asked: 2016-04-05T08:14:37.790

Viewed: 27 966 times

Active: 2016-07-09T10:20:02.787