Reputation: 2502
X509Store Location versus Store?
I am using the X509Store in C# DotNet to traverse the certificate stores. However, I am not clear on what the difference is between a certificate location and a certificate store. For example, the locations are LocalUser and LocalMachine. Examples of Stores are My (Personal) and Root. What is the difference between the Personal store on LocalMachine versus Personal store on LocalUser? What does it even mean to have a Personal store on LocalMachine?
Upvotes: 2
Views: 3926
Answers (2)
Reputation: 33108
There are a few purposed stores (C# name in bold, UI display name in parenthetical italics):
- My (Personal): when searching for a leaf/end-entity certificate this store is usually what gets searched. This is usually the only store that has certificates with associated private keys.
- If you browse to a site using client authentication certificates IE will choose candidate certs from the My store. (Forward reference: The location for this is CurrentUser)
- When configuring IIS from a GUI it will show certificates from the My store. (Forward reference: The location for this is LocalMachine)
- Root (Trusted Root Certificate Authorities): When doing a chained-trust decision, such as in TLS, if the other end of the chain is represented in this store then the original cert is trusted.
- In addition to the certs explicitly in this store it exposes a virtual view over AuthRoot.
- AuthRoot (Third-Party Root Certification Authorities): When registering an additional trusted root you "should" do it in the 3rd party store, for... reasons? While the LocalMachine one seems to work fine, the CurrentUser one seems to mostly be for show.
- CertificateAuthority (Intermediate Certificate Authorities, known as "CA" to the underlying system): This is a repository of known intermediate certificates. When doing a chain build the system will look for a parent here, then in Root, then maybe over the Internet. If the chain was trustworthy then the certs in the middle of the chain may be cached here for future lookups.
- Disallowed (Untrusted Certificates): If a part of a certificate chain is found in this store, the chain is considered untrustworthy.
- AddressBook (Other People): A collection of certificate that you know about. Yep, about that specific. It gets searched by some programs/libraries when trying to match a peer certificate. For example, a find-by-issuer-and-serial-number notice in SignedXml.
There are a couple more standard ones, you can read about them at TechNet. You can also create your own certificate store using the X509Store(string, StoreLocation) overload. (It's sometimes useful for managing applications, but the certificate manager UI gets a bit confused when you have private keys in a custom store; it expects them only in the My store).
So that's StoreName. StoreLocation is perhaps better thought of as "store owner". A standard user could decide that they trust certificates issued by some private CA, so they could add it to their Root store. Since it's their store it won't affect any other users on the system. The system itself also owns stores. For example, the TLS certificate for the computer really belongs to "the computer", and multiple administrators may be involved with managing it. Since it's pretty unusual to search through your friend's stuff, the StoreLocation comes down to "me, as a user" (CurrentUser) or "this computer" (LocalMachine) for which store to use.
Things get slightly murky now: On Windows almost every CurrentUser store (with a notable exception of the My store) exposes a view into the LocalMachine equivalent store. So when you enumerate the certificates in CurrentUser\Root you're getting both the certificates explicitly added to CurrentUser\Root and also the certificates explicitly added to LocalMachine\Root. This can cause confusion since you can see a certificate when enumerating, call Remove with it as an argument, and it's still there when enumerating again.
In my experience, most interactions with cert stores are to the My store. At which point the decision tree comes down to something like this:
- Am I a service with a dedicated user account?
new X509Store(StoreName.My, StoreLocation.CurrentUser)
- Am I service without a dedicated user account?
new X509Store(StoreName.My, StoreLocation.LocalMachine)
- Else
new X509Store(StoreName.My, StoreLocation.CurrentUser)
But that's a big generalization.
Upvotes: 8
Reputation: 27861
The personal store for LocalMachine contains machine certificates. An example of a certificate that lives in such store is a SSL certificate that is used by IIS to protect HTTP traffic. There is only one such store on the machine.
The personal store for LocalUser contains user certificates. An example of such certificate is an S/MIME certificate used to sign email messages. Each user has his/her own store of this type.
Upvotes: 1
Related Questions
- Which X509 StoreName refers to the certificates stored beneath Trusted Root Certification Authorities in Windows10
- What is the rationale for all the different X509KeyStorageFlags?
- Adding a Certificate to x509Store doesn't do anything C#
- How to find in store the certificate I need?
- Add an X509 certificate to a store in code
- correct certificate store for a x509 pfx file
- Can't find cert in local store
- Which store to use when installing an x509 certificate
- Access x509 certificates in windows service certificate stores with C#
- what is the difference between X509_STORE and X509_STORE_CTX .?