Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are the benefits of Windows Certificate Store?

I just bought a code-signing certificate for the first time. I'm successfully signing my code from script/command line using

signtool sign /f <pfx file> /p <password> <exe file>

I noticed that signtool also has a /a option that will "choose the best certificate", which I believe uses any certificates imported into the Windows Certificate Store to select from.

If I double-click my cert, it opens the Certificate Import Wizard.

What are the pros/cons of using the Certificate Store? In particular for an individual developer.

It looks like with the certificate store I do not need to use provide the password for each call. I guess that means the certificate store is linked to my user and uses my login credentials to validate use of the certs?

Thanks, Brett

like image 700
Brett Stottlemyer Avatar asked Sep 04 '10 15:09

Brett Stottlemyer


People also ask

What is the Windows certificate store?

On a computer that has the Windows operating system installed, the operating system stores a certificate locally on the computer in a storage location called the certificate store. A certificate store often has numerous certificates, possibly issued from a number of different certification authorities (CAs).

What are Windows certificates used for?

The primary function of a certificate is to authenticate the identity of the owner of the certificate to others. A certificate contains the public key of the owner, while the owner retains the private key. The public key can be used to encrypt messages sent to the owner of the certificate.

How does a certificate store work?

Certificates in a certificate store are normally kept in some kind of permanent storage such as a disk file or the system registry. Certificate stores can also be created and opened strictly in memory. A memory store provides temporary certificate storage for working with certificates that do not need to be kept.

Where are certificates stored on Windows?

This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root. This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.


2 Answers

I'm adding this answer because I'm concerned some people may be led down the wrong path by the previous answer. You have to be careful with how you handle your certificates. You should also be very careful of how you handle your private keys (i.e. don't leave them in files in the file system).

Here is what the Windows Certificate Store provides:

  • APIs for managing certificates: See Support Certificates In Your Applications With The .NET Framework 2.0 http://msdn.microsoft.com/en-us/magazine/cc163454.aspx
  • UI for useful tasks like renewing a certificate
  • User access control through ACLs (yes you can do this through the file system too but the store allows you to easily grant access by installing to an accounts local store)
  • Enterprise features, for example, storing certificates in a roaming profile
  • Single location for all certificates
  • Support for tying a private key to a certificate and allowing or not allowing export of the key

I encourage you to do your own research and make an informed decision.

like image 107
Ed Greaves Avatar answered Oct 02 '22 07:10

Ed Greaves


As far as I am concerned, there really isn't any clear benefit to using the the Windows Certificate Store aside from having it organized in a streamlined manner in a database (the registry).

In some cases (e.g. export) it is more convenient to work with the store.

If you are interested in learning more about the inner-working of the certificate store, check the following:

http://msdn.microsoft.com/en-us/library/aa386971%28VS.85%29.aspx

http://technet.microsoft.com/en-us/library/cc962104.aspx

like image 43
Android Eve Avatar answered Oct 02 '22 07:10

Android Eve