Using Certificates with Windows

After I have spend several parts of this series discussing the theory of certificates, certificate authorities, certificate requests and file formats, this article focusses on Windows and how it handles certificates. I will also present several pitfalls that can make your life miserable when working with certificates and what tools are available by Microsoft.

Windows Certificates Stores

Instead of organizing private keys and certificate in files, Windows uses certificate stores to save certificates. There is a machine-wide store as well as a personal store for each user and service account. When working with certificates, Windows provides a cumulative view of the system-wide store and the personal store so that sytem-wide certificates can be maintained in a single place by Microsoft via Windows Update while personal certificates are stored separately from other users.

Each store is divided into logical storage categories to separate certificates of different types. The most common logical storage categories are the following:

Certificate stores can be accessed using the MMC snapin called „Certficates“ or by launching „CertMgr.msc“. The latter only displays the certificate store for the currently logged on user where as the MMC snapin allows for alls stores to be browsed and modified.

More information about the location of the certificate stores.


As working with certificates is a rather complex business, I have compiled a list of common issues:


The following list of tools offers an overview of the different methods for working with certificates that I am aware of:

The End

This concludes my series about certificates. If you have any further questions, let me know through comments or a direct message. There is a lot more to certificates than I have covered in these five articles. A good starter to dive deeper is my (somewhat dated) Practical Introduction to Public Key Infrastructures (PKI).

Feedback is always welcome! If you'd like to get in touch with me concerning the contents of this article, please use Twitter.