So, I was curious where exactly certificates and their corresponding private keys are stored on a Windows machine. Did a bit of research, and the picture is somewhat clear, however there is a lot of info on the topic and some points don’t seem to correspond to the actual situation on my Windows 8 machine.
Let’s start by the basics, the Certificates MMC console, easily launched by certmgr.msc. It gives us the first hint where certificates are stored, by allowing us to view the Physical certificate stores:
As you can see, there are several stores: the Registry, the Local Computer (hard drive), Smart Card. There are also some not shown in the picture: the Enterprise store, the Group Policy store, the Third-Party store. When using a AD CA, there are also some containers under the Configuration partition, but let’s ignore those.
If we actually go to MMC and add the certificates snap-in,we have some more choices for the account.They correspond to a normal user account, service account or the computer account. So all of those stores listed above have their corresponding location for each account. Let’s start with the Registry store:
HKEY_Current_User\Software\Microsoft\SystemCertificates contains registry settings for the current user. Those can include the BLOB (Binary Large object) and various settings for the certificate, as well as settings related to the CA certificates that support the user certificates.
HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates contains the same info, but for certificates distributed via Group Policy.
HKEY_Users\User SID\Software\Microsoft\SystemCertificates contains this info for the corresponding user
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates contains this info for the corresponding service account
HKEY_Local_Machine\Software\Microsoft\SystemCertificates contain the info for the computer account
HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates contains the same, but for GP distributed certificates for the computer account
HKEY_Local_Machine\Software\Microsoft\EnterpriseCertificates contains info about the AD published certificates
More info about the above can be found in these articles on MSDNand TechNet.
Now, some stuff is actually stored on the local hard drive. Under file:\%APPDATA%\Microsoft\SystemCertificates\MyCertificates you will find all your personal certificates. Looking at the picture above and all the info I’ve seen over the internet, those should be stored in the registry. Well, at least on my Windows 8 machine this is NOT the case, and all the certificates that are listed under Personal in certmgr.msc can be found in this folder. The corresponding private keys are in C:\Users\XXXX\AppData\Roaming\Microsoft\Crypto\RSA\S-I-D. Other directories worth noting are the C:\Users\XXXX\AppData\Roaming\Microsoft\Credentials one and the C:\Users\XXXX\AppData\Roaming\Microsoft\Protect\S-I-D one.
For the computer account, certificates are indeed stored in the registry, in the keys detailed above. The corresponding private keys are stored encrypted in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys and similarly for the others.
You can use some other tools to work with the certificate stores. The certutil tool has some uses, for example you can view all the personal certificates for the current user with:
certutil -user -viewstore My
If you simply want to dump all the information in the console, you can use:
certutil -user -store My
To do the same for the computer account, simply drop the ‘-user’ parameter:
certutil -store My or certutil -viewstore My
A lot more options are available, feel free to explore more here.
For the PowerShell lovers, the Cert: drive can provide most of the needed information. Here are some uses:
PS C:> cd Cert:; dirLocation : CurrentUserStoreNames : {SmartCardRoot, Root, Trust, AuthRoot...}Location : LocalMachineStoreNames : {TrustedPublisher, ClientAuthIssuer, Remote Desktop, Root...}To list all the certificates in the ‘Personal’ store for the current user, use:
PS Cert:> dir Cert:CurrentUserMyDirectory: Microsoft.PowerShell.SecurityCertificate::CurrentUserMyThumbprint Subject---------- -------A7620E9F2EA346FF002AECA5EEBE364892E70D74 CN=6DB6031A-EB7C-4DD8-8CD6-D238A787B8F8978C8DDEF435A171EC32F9A3D5890301A8D3BFC9 CN=vasil.michev@hp.com7B5159CEDAF7DDA18090BBC78CA607213235823F E=vasil.michev@hp.com, CN=Vasil Lyubenov Michev, OU=VPN-WEB-H, O=Hewlett-Packard Company3DE9DFBBC381470A9234FF06D8109A8E74140655 CN=vasil@michev.info249BA6C5CA7DC641A07287EA2B2AA9B361A4C56E CN=Vasil
To get all the details for a particular certificate, you can use:
PS Cert:> dir Cert:CurrentUserMy106796B4130A9AE14BF38C7CE553353204613796 | fl *
And there is of course much morethat you can do with PowerShell, make sure to check out this article.
Thereare unfortunately some discrepancies between the store names in different tools, so you need to be careful. I’m too lazy to make a good table for all the relevant ones, but a sample is available for example here.
