Why is there a "Computer\Personal\Certificates" store and also "Current User\Personal\Certificates"

Question

I am comparing the certificates in my local computer and MMC.exe permits me to view the certificates for "Current User" and "Computer".

I don't understand why there would be two "personal" stores. Can someone explain why there are two, and how they interact?

It would be nice to know why those other folders are there too. The only one that I think has a fixed meaning is "Trusted Root Certificates". The other constant is that Fiddler also seems to put its certificates into "Current User \ Personal"

For example; FedUtil will only use certificates located in the following location (web.config)

        <serviceCertificate findValue="6CB9aaaaa636EBF52980152CDCB02D3BBBBBBBBB" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />

Answer 1

Some situations call for a need to verify the local machine separately from the user using certificates issued by a domain CA.

An example I've seen is for VPN authentication, where a certificate is issued to the machine (to verify that machine is allowed to connect to the VPN), and a certificate is issued to the user (to verify that the person trying to connect to the VPN is the same as the user currently logged in to the local machine). Both of these certs were stored in the Computer\Personal and Current User\Personal locations respectively.

The only way then to access the VPN is to have a domain joined machine (to have the machine cert issued by the domain CA) which a domain user has logged on to while connected to the domain network (to have the user cert issued by the domain CA).

The particular situation I'm referring to let the user access and install the VPN even if they aren't currently logged on the domain (so they could get the VPN from home or away from the office in general), they just needed to type a web address in, verify themselves using their domain credentials and the VPN software and connection details were set up, allowing the user remote access to the business network resources without the need for ICT support.

To answer how they interact, certs in the computer\personal location apply to all users that access the machine, whereas the current user\personal only apply to the current user (kind of obvious but this is the distinction as I understand it). In my example the certs work together to give off-domain authentication for machine and user.