Display Certificate Stores
Applies To: Windows Server 2008
Using the Certificates snap-in, you can display the certificate store for a user, a computer, or a service according to the purpose for which the certificates were issued or by using their logical storage categories. When you display certificates according to their storage categories, you can also choose to display the physical stores, showing the certificate storage hierarchy. (This is recommended for advanced users only.)
If you have the user rights to do so, you can import or export certificates from any of the folders in the certificate store. Additionally, if the private key associated with a certificate is marked as available for export, you can export both into a PKCS #12 file.
Windows can also publish certificates to Active Directory. Publishing a certificate in Active Directory enables all users or computers with adequate permissions to retrieve the certificate as needed.
Certificate stores
Certificates can be displayed by purpose or by logical stores, as shown in the following table. Displaying certificates by logical stores is the Certificates default.
Note
The list of certificate purpose stores does not include all the possible purpose stores.
Display by | Folder name | Contents |
---|---|---|
Logical Store |
Personal |
Certificates associated with private keys to which you have access. These are the certificates that have been issued to you or to the computer or service for which you are managing certificates. Note to administrators: Computers in a Windows Server 2003 Active Directory domain can have certificates automatically placed in this store through the use of Group Policy-based autoenrollment. For more information, see "Automatic certificate request settings." |
|
Trusted Root Certification Authorities |
Implicitly trusted certification authorities. Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your organization and Microsoft. If you are an administrator and want to add third-party certification authority certificates to this store for all computers in a Windows Server 2003 Active Directory domain, you can use Group Policy to distribute trusted root certificates to your organization. For more information, see "Trusted root certification authority policy." |
|
Enterprise Trust |
A container for certificate trust lists. A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted. For more information about Enterprise trust see "Enterprise trust policy." |
|
Intermediate Certification Authorities |
Certificates issued to subordinate certification authorities. If you are an administrator, you can use Group Policy to distribute certificates to the Intermediate Certification Authorities store. |
|
Trusted People |
Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook. If you are a domain administrator, you can use Group Policy to distribute certificates to the Trusted People store. |
|
Other People |
Certificates issued to people or end entities that are implicitly trusted. These certificates must be part of a trusted certification hierarchy. Most often these are cached certificates for services like Encrypting File System, where certificates are used for creating authorization for decrypting an encrypted file. |
|
Trusted Publishers |
Certificates from certification authorities that are trusted by Software Restriction policies. If you are a domain administrator, you can use Group Policy to distribute certificates to the Trusted Publishers store. |
|
Disallowed Certificates |
These are certificates that you have explicitly decided not to trust using either Software Restriction policy or by clicking "Do not trust this certificate" when the decision is presented to you in mail or a Web browser. If you are a domain administrator, you can use Group Policy to distribute certificates to the Disallowed Certificates store. |
|
Third-Party Root Certification Authorities |
Trusted root certificates from certification authorities other than Microsoft and your organization. You cannot use Group Policy to distribute certificates to the Third-Party Root Certification Authorities store. |
|
Certificate Enrollment Requests |
Pending or rejected certificate requests. |
|
Active Directory User Object |
Certificates associated with your user object and published in Active Directory. |
Purpose |
Server Authentication |
Certificates that server programs use to authenticate themselves to clients. |
|
Client Authentication |
Certificates that client programs use to authenticate themselves to servers. |
|
Code Signing |
Certificates associated with key pairs used to sign active content. |
|
Secure E-mail |
Certificates associated with key pairs used to sign e-mail messages. |
|
Encrypting File System |
Certificates associated with key pairs that encrypt and decrypt the symmetric key used for encrypting and decrypting data by Encrypting File System (EFS). |
|
File Recovery |
Certificates associated with key pairs that encrypt and decrypt the symmetric key used for recovering encrypted data by Encrypting File System (EFS). |
When you look at the contents of a certificate store in Logical Store mode, you will occasionally see what appear to be two copies of the same certificate in the store. This occurs because the same certificate is stored in separate physical stores under a logical store. When the contents of the physical certificate stores are combined into one logical store view, both instances of the same certificate are displayed.
You can verify this by setting View Options to show the Physical certificate stores and then noting that the certificate is stored in separate physical stores under the same logical store. You can verify that it is the same certificate by comparing the serial numbers.
Additional references