Where is the private key?

Question

Two simple questions about makecert command,

Suppose I am using the following command:

makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine

Will the private key automatically registered somewhere in certificate manager or the private key will just be in file root.pvk?

Suppose I am using the following command:

makecert -r -pe -n "CN=XYZ Company" -ss my

After executing this command, where is the private key stored (since I did not specify -pe option, the private key is not embedded in the certificate, but where it is) ?

Answer 1

Even without the -pe (enable private key export) the private key should still be stored in the certificate store you have specified. In your example that store is the LocalMachine physical store and the TrustedRoot logical store. You can check by opening up mmc (start->run->mmc) and adding the Certificates snap in and selecting "Computer Account" as the store.

An even simpler test is:

makecert -sk myKey -n "CN=test" -ss my -pe

Then start->run->certmgr.msc (which opens the certificate manager for the local user store) and check the Personal certificate store. In there you should have a certificate called test with a private key attached.

You can then right click the certificate and export it to a .pfx file to get a single file that has the certifcate AND the private key embedded.

Edit: The -pe option stands for private key exportable. If -pe is used you will have the option of exporting the key from certmgr with the private key. If you don't use -pe then you will not get the option of exporting the private key (my comment below should say "without -pe" not "with -pe").