[英]X509Store Location versus Store?
I am using the X509Store in C# DotNet to traverse the certificate stores. 我正在C#DotNet中使用X509Store遍历证书存储。 However, I am not clear on what the difference is between a certificate location and a certificate store.
但是,我不清楚证书位置和证书存储之间的区别。 For example, the locations are LocalUser and LocalMachine.
例如,位置是LocalUser和LocalMachine。 Examples of Stores are My (Personal) and Root.
商店的示例是“我的(个人)”和“根”。 What is the difference between the Personal store on LocalMachine versus Personal store on LocalUser?
LocalMachine上的个人商店与LocalUser上的个人商店有什么区别? What does it even mean to have a Personal store on LocalMachine?
在LocalMachine上开设个人商店甚至意味着什么?
There are a few purposed stores (C# name in bold, UI display name in parenthetical italics): 有一些专用的商店(C#名称为粗体,UI显示名称为斜体):
There are a couple more standard ones, you can read about them at TechNet . 还有更多其他标准的,您可以在TechNet上阅读它们 。 You can also create your own certificate store using the
X509Store(string, StoreLocation)
overload. 您还可以使用
X509Store(string, StoreLocation)
重载来创建自己的证书存储。 (It's sometimes useful for managing applications, but the certificate manager UI gets a bit confused when you have private keys in a custom store; it expects them only in the My store). (它有时对管理应用程序很有用,但是当您在自定义存储区中拥有私钥时,证书管理器UI会有些混乱;它仅在“我的存储区”中才需要)。
So that's StoreName. 这就是StoreName。 StoreLocation is perhaps better thought of as "store owner".
最好将StoreLocation视为“商店所有者”。 A standard user could decide that they trust certificates issued by some private CA, so they could add it to their Root store.
标准用户可以确定他们信任某个私有CA颁发的证书,因此可以将其添加到其根存储中。 Since it's their store it won't affect any other users on the system.
由于是他们的商店,因此不会影响系统上的任何其他用户。 The system itself also owns stores.
系统本身也拥有商店。 For example, the TLS certificate for the computer really belongs to "the computer", and multiple administrators may be involved with managing it.
例如,计算机的TLS证书确实属于“计算机”,并且可能需要多个管理员来管理它。 Since it's pretty unusual to search through your friend's stuff, the StoreLocation comes down to "me, as a user" (CurrentUser) or "this computer" (LocalMachine) for which store to use.
由于搜索朋友的东西是非常不寻常的,因此StoreLocation会归结为要使用哪个商店的“我作为用户我”(CurrentUser)或“这台计算机”(LocalMachine)。
Things get slightly murky now: On Windows almost every CurrentUser store (with a notable exception of the My store) exposes a view into the LocalMachine equivalent store. 现在事情变得有些模糊:在Windows上,几乎每个CurrentUser存储(My商店都有一个明显的例外)都将视图公开到LocalMachine等效存储中。 So when you enumerate the certificates in CurrentUser\\Root you're getting both the certificates explicitly added to CurrentUser\\Root and also the certificates explicitly added to LocalMachine\\Root.
因此,当枚举CurrentUser \\ Root中的证书时,您既要获得明确添加到CurrentUser \\ Root中的证书,也要获得明确添加到LocalMachine \\ Root中的证书。 This can cause confusion since you can see a certificate when enumerating, call
Remove
with it as an argument, and it's still there when enumerating again. 这会引起混乱,因为您可以在枚举时看到证书,
Remove
其作为参数调用Remove
,并且再次枚举时该证书仍然存在。
In my experience, most interactions with cert stores are to the My store. 以我的经验,大多数与证书存储库的交互都是在“我的存储库”中进行的。 At which point the decision tree comes down to something like this:
此时,决策树可归结为以下内容:
new X509Store(StoreName.My, StoreLocation.CurrentUser)
new X509Store(StoreName.My, StoreLocation.LocalMachine)
new X509Store(StoreName.My, StoreLocation.CurrentUser)
But that's a big generalization. 但这是一个很大的概括。
The personal store for LocalMachine contains machine certificates. LocalMachine的个人存储区包含机器证书。 An example of a certificate that lives in such store is a SSL certificate that is used by IIS to protect HTTP traffic.
此类存储中存在的证书的一个示例是IIS用于保护HTTP通信的SSL证书。 There is only one such store on the machine.
机器上只有一个这样的存储。
The personal store for LocalUser contains user certificates. LocalUser的个人存储中包含用户证书。 An example of such certificate is an S/MIME certificate used to sign email messages.
这种证书的一个示例是用于签名电子邮件的S / MIME证书。 Each user has his/her own store of this type.
每个用户都有自己的这种类型的商店。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.