Windows: Certificate locations

Hi,

the Windows certificates MMC plugin allows to view and edit the most (expect the enterprise store) of the certificates Windows uses. But the location of the certificates is not really transparent.

Here is a list where those certificates resides physically.

Certificates located in the Registry

Context Registry Path Description
User HKCU\SOFTWARE\Microsoft\SystemCertificates Physical store for user specific public keys
User HKCU\SOFTWARE\Policies\Microsoft\SystemCertificates Physical store for user specific public keys installed by Active Directory (AD) Group Policy Objects (GPOs)
Computer HKLM\SOFTWARE\Microsoft\SystemCertificates Physical store for machine wide public keys
Computer HKLM\SOFTWARE\Microsoft\Cryptography\Services Physical store for keys associated with a specific service
Computer HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates Physical store for machine wide public keys installed by GPOs
Computer HKLM\SOFTWARE\Microsoft\EnterpriseCertificates Physical store for machine wide public keys installed by the Enterprise PKI Containers within an AD domain

Certificates located in the Filesystem

Context Filepath Description
User %APPDATA%\Microsoft\SystemCertificates Physical store for user specific public keys and pointers to private keys
User %APPDATA%\Microsoft\Crypto Physical store for user specific private key containers
Computer %ProgramData%\Microsoft\Crypto Physical store for machine wide private key containers

The certificates can be managed by the Powershell CERT PSDrive provider
User certificates

PS D:\> cd Cert:\CurrentUser\my
PS Cert:\CurrentUser\my\> Get-Item *

Computer certificates

PS D:\> cd Cert:\LocalMachine\my
PS Cert:\LocalMachine\my\> Get-Item *

The enterprise store is not reachable from powershell.
An example to get all certificates from the enterprise ntauth store

PS D:\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates\* -name blob | %{new-object System.Security.Cryptography.X509Certificates.X509Certificate2($_.Blob,$null)}

Or with certutil

D:\> certutil -store -enterprise ntauth

To get a list of futher powershell command lets

PS D:\> get-command -Module pki

Michael

Leave a Reply Cancel reply