When adding certificates, stls, ctls and crls to the system, I can choose the certificate store.
I have found only references to the "my" and "root" stores so far.
Are there any other?
asked Dec 2, 2010 at 19:52
-
What is "stls", "ctls" and "crls" (in this context)?– Peter MortensenCommented Feb 22, 2017 at 17:45
-
a short brief article michev.info/blog/post/1435/windows-certificate-stores– Sergey PonomarevCommented Jun 26, 2023 at 6:46
Add a comment
|
2 Answers
There are three types of certificate stores in Windows.
- User Account store
- Service Account store
- Local Computer store
Each of the three stores contain a number of folders which certificates go into
- Personal (can be known as My when using scripts to add certs)
- Trusted Root Certification Authority (can be known as Root)
- Enterprise Trust
- Intermediate Certification Authority
- Active Directory User Object
- Trusted Publishers
- Untrusted Certificates
- Third Party Root Certification Authorities
- Trusted People
These can be seen if you open up an mmc.exe with the Certificates snapin.
Depending on what the certificate is meant to be doing you have to work out where it would go.
Most of the time on the servers we support we use the Computer Account store (as its accessible by all users on a Computer) and put certificates in the Personal store. Some times you might need to add in the signing authority public key certs into the Root and Intermediate Root CAs.
-
Where the STL (Silent Trusted Root Authority) go? Which store and folder? Commented Dec 16, 2010 at 15:37
-
I guess "my" is an alias to the current user account store, and "root" is na alias to the machine store, right? Commented Dec 16, 2010 at 15:38
-
Not quite...each of the stores has a Personal folder (in some of the scripts I've messed with they've been referenced like this CU\My (Current User) or LM\My (Local Machine) ).– daedCommented Dec 16, 2010 at 19:45
-
As for your Silent Trusted Root Authority, I've not heard of that term before....– daedCommented Dec 16, 2010 at 19:45
-
2In Windows 7 they introduced another standard store named "Other People" (internally known as AddressBook) which contain certificates from people that send you Signed emails/documents... The problem is that this store must be manually added to systems running older versions of Windows (Windows Server 2008 R2, for instance) do that apps that rely on it can work properly.– MonomanCommented Mar 30, 2012 at 11:45
Certificate store names are as follows (source):
- AddressBook: Certificate store for other people and resources.
- AuthRoot: Certificate store for third-party certification authorities (CAs).
- CertificationAuthority: Certificate store for intermediate certification authorities (CAs).
- Disallowed: Certificate store for certificates that have been revoked so they aren't forgotten.
- My: Certificate store for your personal certificates that you use and is where most custom certificates.
- Root: Certificate store for certificate authorities (CA) that you trust.
- TrustedPeople: Certificate store for other people and resources that you trust.
- TrustedPublisher: Certificate store for application publishers that you trust.
