A Windows public key infrastructure (PKI) saves certificates on the server that hosts the certification authority (CA) and on the local computer or device. CA storage is typically referred to as the certificate database, and local storage is known as the certificate store.
When you add Certificate Services on a Windows server and configure a CA, a certificate database is created. By default, the database is contained in the %SystemRoot%\System32\Certlog folder, and the name is based on the CA name with an .edb extension. The database can contain:
- Issued certificates
- Revoked certificates
- Archived private keys
- Certificate requests
You cannot use the Certificate Enrollment API to manipulate the database. The enrollment process automatically creates the necessary entries.
Microsoft Certificate Services copies issued certificates and pending or rejected requests to local computers and devices. The storage location is called the certificate store and consists of the following logical stores.
||Contains certificates associated with a private key controlled by the user or computer.
|Trusted Root Certification Authorities
||Contains certificates from implicitly trusted certification authorities (CAs).
||Contains certificate trust lists typically used to trust self-signed certificates from other organizations.
|Intermediate Certification Authorities
||Contains certificates issued to subordinate CAs in the certification hierarchy.
|Active Directory User Object
||Contains the user object certificate or certificates published in Active Directory.
||Contains certificates from trusted CAs.
||Contains certificates that have been explicitly identified as untrusted.
|Third-Party Root Certification Authorities
||Contains trusted root certificates from CAs outside the internal certificate hierarchy.
||Contains certificates issued to users or entities that have been explicitly trusted.
||Contains certificates issued to users or entities that have been implicitly trusted.
|Certificate Enrollment Requests
||Contains pending or rejected certificate requests.
You cannot use the Certificate Enrollment API to specify or retrieve store properties or copy certificates to specific stores.