Share via

Certificate stores

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certificate stores

Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition, store a certificate locally on the computer or device that requested it or, in the case of a user, on the computer or device that the user used to request it. The storage location is called the certificate store. A certificate store will often have numerous certificates, possibly issued from a number of a different certification authorities.

Using the Certificates snap-in, you can display the certificate store for a user, a computer, or a service according to the purpose for which the certificates were issued or by using their logical storage categories. When you display certificates according to their storage categories, you can also choose to display the physical stores, showing the certificate storage hierarchy. (This is recommended for advanced users only.)

If you have the user rights to do so, you can import or export certificates from any of the folders in the certificate store. Additionally, if the private key associated with a certificate is marked as available for export, you can export both into a PKCS #12 file.

Windows can also publish certificates to Active Directory. Publishing a certificate in Active Directory enables all users or computers with adequate permissions to retrieve the certificate as needed.

Certificates can be displayed by purpose or by logical stores, as shown in the following table. Displaying certificates by logical stores is the Certificates default. (Note that the list of certificate purpose stores does not include all the possible purpose stores.)

Display by Folder name Contents

Logical Store


Certificates associated with private keys to which you have access. These are the certificates that have been issued to you, or to the computer or service for which you are managing certificates.

Note to administrators: Computers in a Windows Server 2003 Active Directory domain can have certificates automatically placed in this store through the use of Group Policy-based autoenrollment. For more information, see Automatic certificate request settings.


Trusted Root Certification Authorities

Implicitly trusted certification authorities. Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your organization and Microsoft.

If you are an administrator and want to add third-party certification authority certificates to this store for all computers in a Windows Server 2003 Active Directory domain, you can use Group Policy to distribute trusted root certificates to your organization. For more information, see Trusted root certification authority policy.


Enterprise Trust

A container for certificate trust lists. A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted. For more information about Enterprise trust see Enterprise trust policy.


Intermediate Certification Authorities

Certificates issued to subordinate certification authorities.


Trusted People

Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook.


Other People

Certificates issued to people or end entities that are implicitly trusted. These certificates must be part of a trusted certification hierarchy. Most often these are cached certificates for services like Encrypting File System, where certificates are used for creating authorization for decrypting an encrypted file.


Trusted Publishers

Certificates from certification authorities that are trusted by Software Restriction policies.


Disallowed Certificates

These are certificates that you have explicitly decided not to trust using either Software Restriction policy or by clicking "Do not trust this certificate" when the decision is presented to you in mail or a Web browser.


Third-Party Root Certification Authorities

Trusted root certificates from certification authorities other than Microsoft and your organization.


Certificate Enrollment Requests

Pending or rejected certificate requests.


Active Directory User Object

Certificates associated with your user object and published in Active Directory.


Server Authentication

Certificates that server programs use to authenticate themselves to clients.


Client Authentication

Certificates that client programs use to authenticate themselves to servers.


Code Signing

Certificates associated with key pairs used to sign active content.


Secure Email

Certificates associated with key pairs used to sign e-mail messages.


Encrypting File System

Certificates associated with key pairs that encrypt and decrypt the symmetric key used for encrypting and decrypting data by Encrypting File System (EFS).


File Recovery

Certificates associated with key pairs that encrypt and decrypt the symmetric key used for recovering encrypted data by Encrypting File System (EFS).

When you look at the contents of a certificate store in Logical Store mode, you will occasionally see what appears to be two copies of the same certificate in the store. This occurs because the same certificate is stored in separate physical stores under a logical store. When the contents of the physical certificates stores are combined into one logical store view, both instances of the same certificate are displayed.

You can verify this by setting the view option to show the physical certificate stores and then noting that the certificate is stored in separate physical stores under the same logical store. You can verify that it is the same certificate by comparing the serial numbers.

For more information, see Generating encryption keys and certificate requests, Importing and exporting certificates, Display certificate stores in Purpose mode, Display certificate stores in Logical Store mode, Display archived certificates, Display certificate stores storage structure