Windows certificate store or container

Windows certificate store or container

What are the individual certificate stores or containers for?

Depending on the Windows version used (client or server), the memories differ somewhat in terms of availability. These memories are also called the Logical Personal Store Layer.

But there are also those Physical store layer for users, computers or services.

Own certificates (Personal Store)
The certificates for the computer or the user are stored in this store.

Trusted Root Certification Authorities
The root certification authorities that the client trusts reside in this memory. A certificate chain must always be able to be formed up to a trustworthy root certification authority.

Organization Trust (Enterprise Trust)
Trusted organizations or companies can add root certification authorities to this store. In contrast to certificates that originate from trustworthy root certification authorities, the purposes for which the certificates are used can be restricted by the certification authority, thereby "restricting" trust.

Intermediate CAs
Certificates from intermediate certification authorities are stored in this memory. An intermediate certification authority is a certification authority that is not configured as a root certification authority (root CA). The content of this memory can also be filled via group policies.

Trusted Publishers
Certificates from certification authorities can be stored in this memory, which are to be trusted via software implementation guidelines (software restriction policies). The entries can also be managed via group policies.

Untrusted Certificates
Certificates are stored in this memory that are explicitly not to be trusted. Compromised certificates can also be stored in this memory. This storage can also be managed through group policies.

Third-Party Root Certification Authorities
Non-Microsoft Root Certification Authorities are stored in this store. This storage cannot be managed by group policy.

Trusted People
This memory stores certificates (e.g. applications) that are trusted even if the issuing certification authority is not known or the revocation list cannot be called up. This storage can also be managed through group policies.

Client Authentication Issuers
Client certificates are stored in this memory when a TLS connection to a target is to be established. If the memory is not used, a trustworthy root certification authority is checked.

Pre-Release Roots (FlightRoot)
This store contains certificates from Microsoft certification authorities that can be used by Windows pre-release versions. These certificates are not automatically classified as trustworthy.

Remote Desktop (Remote Desktop)
This store stores certificates that are to be used on the system as server certificates for remote desktop connections.

Certificate Enrollment Requests
Pending requests and rejected certificate requests are stored in this memory. The certification authority has not yet submitted a signature (issued certificate) to the outstanding requests.

Local Certificates for Shielded VMs
Signature and encryption certificates for shielded VMs are stored in this memory.

Trusted Devices
Certificates can be stored in this memory with which access to protected documents or applications can be controlled.

Smart Card Trusted Roots
SmartCards from external certification authorities can also be stored in this memory.

Web hosting (web hosting)
Certificates that the IIS accesses are stored in this memory. The web server can use certificates from the personal store (own certificates) or the web hosting store.

These are the names of the common stores (stores / containers) in order to be able to access them using scripts.

Here you can find one Article which shows how to access one of the memories.

# Machine stores
Name: AuthRoot
Name: CA
Name: ClientAuthIssuer
Name: Disallowed
Name: FlightRoot
Name: Local NonRemovable Certificates
Name: My
Name: Remote Desktop
Name: REQUEST
Name: Root
Name: SmartCardRoot
Name: Trust
Name: TrustedDevices
Name: TrustedPeople
Name: TrustedPublisher
Name: Windows Live ID Token Issuer

# User stores
Name: ACRS
Name: AuthRoot
Name: CA
Name: ClientAuthIssuer
Name: Disallowed
Name: My
Name: REQUEST
Name: Root
Name: SmartCardRoot
Name: Trust
Name: TrustedPeople
Name: TrustedPublisher
Name: UserDS

Windows certificate store or container

Storage locations of certificates and their import-export options