Windows’ certificate store is (mostly) stored in the registry as outlined here. However, while IE, Chrome, Safari/iTunes, Outlook, etc. use Windows’ certificate store, Firefox and Thunderbird use NSS’ cross-platform certificate store. Opera also uses its own separate certificate store.
If you want to access Windows’ certificate store, then you should use Microsoft’s CryptoAPI. If you want to access the NSS certificate store, then you can use the NSS library.
There isn’t any “folder” of certficates in Windows; it is stored in an internal database (Windows Registry) that you interface using the ways you listed in your original question. The easiest way to get to that database is just put
certmgr.msc in your start/run box.
If you are really curious, you can find the actual registry entries under:
HKEY_CURRENT_USER for user-specific certificates and
HKEY_LOCAL_MACHINE for machine-specific certificates, But they will be un-readable binary blobs. It is just better to use the MMC snap-in I listed earlier.
Here is a location summary (registry keys and files):
User level (registry):
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates: Contains settings certificates for the current user.
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates: Like the previous location, but this corresponds to user certificates deployed a GPO (Group Policy).
HKEY_USERS\SID-User\Software\Microsoft\SystemCertificates: Corresponds to the configuration of certain user certificates. Each user has its branch in the registry with SID (Security Identifier).
Computer level (registry):
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates: Contains settings certificates for all computer users.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates: Like the previous location, but this corresponds to computer certificates deployed a GPO.
Service level (registry):
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates: Contains settings certificates for all services on the computer.
Active Directory level (registry):
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates: Certificates issued at Active Directory level.
And there are some folders and files corresponding to the Windows certificate store.
The folders are hidden and public and private keys are located in different folders.
User certificates (files):
%APPDATA%\Microsoft\SystemCertificates\My\Certificates %USERPROFILE%\AppData\Roaming\Microsoft\Crypto\RSA\SID %USERPROFILE%\AppData\Roaming\Microsoft\Credentials %USERPROFILE%\AppData\Roaming\Microsoft\Protect\SID
Computer certificates (files):
The certificates are stored in the registry at
Personal certificates, or other certificates specific to the logged in user are at
They are stored as binary blobs, so they need to be decoded, and the MMC plugin is a good way to do this.
Give a chance to PowerShell:
Get-Childitem Cert:\currentUser -Recurse | Format-Table -AutoSize PSPath, FriendlyName, DnsNamelist
I looked again at the group policy preference I was using. There is an option “Run in logged-on user’s security context (user policy option)” that I enabled and now the registry entry is persisting