简体繁体 English

X509商店位置与商店？

[英]X509Store Location versus Store?

原文 2016-08-26 12:25:37 3 2 c#/ .net/ windows/ certificate/ x509certificate

I am using the X509Store in C# DotNet to traverse the certificate stores. 我正在C＃DotNet中使用X509Store遍历证书存储。 However, I am not clear on what the difference is between a certificate location and a certificate store. 但是，我不清楚证书位置和证书存储之间的区别。 For example, the locations are LocalUser and LocalMachine. 例如，位置是LocalUser和LocalMachine。 Examples of Stores are My (Personal) and Root. 商店的示例是“我的（个人）”和“根”。 What is the difference between the Personal store on LocalMachine versus Personal store on LocalUser? LocalMachine上的个人商店与LocalUser上的个人商店有什么区别？ What does it even mean to have a Personal store on LocalMachine? 在LocalMachine上开设个人商店甚至意味着什么？

2 个解决方案

There are a few purposed stores (C# name in bold, UI display name in parenthetical italics): 有一些专用的商店（C＃名称为粗体，UI显示名称为斜体）：

My ( Personal ): when searching for a leaf/end-entity certificate this store is usually what gets searched. 我的（个人）：在搜索叶子/实体证书时，通常会搜索该商店。 This is usually the only store that has certificates with associated private keys. 通常，这是唯一具有证书和相关私钥的商店。
- If you browse to a site using client authentication certificates IE will choose candidate certs from the My store. 如果您使用客户端身份验证证书浏览到站点，则IE将从“我的商店”中选择候选证书。 (Forward reference: The location for this is CurrentUser) （前瞻性参考：此位置为CurrentUser）
- When configuring IIS from a GUI it will show certificates from the My store. 从GUI配置IIS时，它将显示“我的商店”中的证书。 (Forward reference: The location for this is LocalMachine) （前瞻性参考：此位置是LocalMachine）
Root ( Trusted Root Certificate Authorities ): When doing a chained-trust decision, such as in TLS, if the other end of the chain is represented in this store then the original cert is trusted. 根（ 受信任的根证书颁发机构 ）：在进行链式信任决策时（例如在TLS中），如果链的另一端在此存储中表示，则原始证书将受到信任。
- In addition to the certs explicitly in this store it exposes a virtual view over AuthRoot. 除了此存储中显式的证书之外，它还通过AuthRoot公开虚拟视图。
AuthRoot ( Third-Party Root Certification Authorities ): When registering an additional trusted root you "should" do it in the 3rd party store, for... reasons? AuthRoot （ 第三方根证书颁发机构 ）：出于其他原因，“应该”在第三方存储中注册其他受信任的根吗？ While the LocalMachine one seems to work fine, the CurrentUser one seems to mostly be for show . 虽然LocalMachine一个似乎可以正常运行，但CurrentUser一个似乎主要用于show 。
CertificateAuthority ( Intermediate Certificate Authorities , known as "CA" to the underlying system): This is a repository of known intermediate certificates. CertificateAuthority （ 中间证书颁发机构 ，称为基础系统的“ CA”）：这是已知中间证书的存储库。 When doing a chain build the system will look for a parent here, then in Root, then maybe over the Internet. 进行链式构建时，系统将在此处，在Root中然后可能在Internet上寻找父级。 If the chain was trustworthy then the certs in the middle of the chain may be cached here for future lookups. 如果该链是可信赖的，则可以将链中间的证书缓存在此处以供将来查找。
Disallowed ( Untrusted Certificates ): If a part of a certificate chain is found in this store, the chain is considered untrustworthy. 不允许 （ 不可信证书 ）：如果在此存储中找到了证书链的一部分，则该链被认为是不可信的。
AddressBook ( Other People ): A collection of certificate that you know about. 地址簿 （ 其他人 ）：您知道的证书的集合。 Yep, about that specific. 是的，关于具体。 It gets searched by some programs/libraries when trying to match a peer certificate. 尝试匹配对等证书时，某些程序/库会对其进行搜索。 For example, a find-by-issuer-and-serial-number notice in SignedXml. 例如，SignedXml中的按发行人和序列号查找通知。

There are a couple more standard ones, you can read about them at TechNet . 还有更多其他标准的，您可以在TechNet上阅读它们。 You can also create your own certificate store using the X509Store(string, StoreLocation) overload. 您还可以使用X509Store(string, StoreLocation)重载来创建自己的证书存储。 (It's sometimes useful for managing applications, but the certificate manager UI gets a bit confused when you have private keys in a custom store; it expects them only in the My store). （它有时对管理应用程序很有用，但是当您在自定义存储区中拥有私钥时，证书管理器UI会有些混乱；它仅在“我的存储区”中才需要）。

So that's StoreName. 这就是StoreName。 StoreLocation is perhaps better thought of as "store owner". 最好将StoreLocation视为“商店所有者”。 A standard user could decide that they trust certificates issued by some private CA, so they could add it to their Root store. 标准用户可以确定他们信任某个私有CA颁发的证书，因此可以将其添加到其根存储中。 Since it's their store it won't affect any other users on the system. 由于是他们的商店，因此不会影响系统上的任何其他用户。 The system itself also owns stores. 系统本身也拥有商店。 For example, the TLS certificate for the computer really belongs to "the computer", and multiple administrators may be involved with managing it. 例如，计算机的TLS证书确实属于“计算机”，并且可能需要多个管理员来管理它。 Since it's pretty unusual to search through your friend's stuff, the StoreLocation comes down to "me, as a user" (CurrentUser) or "this computer" (LocalMachine) for which store to use. 由于搜索朋友的东西是非常不寻常的，因此StoreLocation会归结为要使用哪个商店的“我作为用户我”（CurrentUser）或“这台计算机”（LocalMachine）。

Things get slightly murky now: On Windows almost every CurrentUser store (with a notable exception of the My store) exposes a view into the LocalMachine equivalent store. 现在事情变得有些模糊：在Windows上，几乎每个CurrentUser存储（My商店都有一个明显的例外）都将视图公开到LocalMachine等效存储中。 So when you enumerate the certificates in CurrentUser\\Root you're getting both the certificates explicitly added to CurrentUser\\Root and also the certificates explicitly added to LocalMachine\\Root. 因此，当枚举CurrentUser \\ Root中的证书时，您既要获得明确添加到CurrentUser \\ Root中的证书，也要获得明确添加到LocalMachine \\ Root中的证书。 This can cause confusion since you can see a certificate when enumerating, call Remove with it as an argument, and it's still there when enumerating again. 这会引起混乱，因为您可以在枚举时看到证书， Remove其作为参数调用Remove ，并且再次枚举时该证书仍然存在。

In my experience, most interactions with cert stores are to the My store. 以我的经验，大多数与证书存储库的交互都是在“我的存储库”中进行的。 At which point the decision tree comes down to something like this: 此时，决策树可归结为以下内容：

Am I a service with a dedicated user account? 我是否具有专用用户帐户的服务？
- new X509Store(StoreName.My, StoreLocation.CurrentUser)
Am I service without a dedicated user account? 如果没有专用的用户帐户，是否可以提供服务？
- new X509Store(StoreName.My, StoreLocation.LocalMachine)
Else 其他
- new X509Store(StoreName.My, StoreLocation.CurrentUser)

But that's a big generalization. 但这是一个很大的概括。

The personal store for LocalMachine contains machine certificates. LocalMachine的个人存储区包含机器证书。 An example of a certificate that lives in such store is a SSL certificate that is used by IIS to protect HTTP traffic. 此类存储中存在的证书的一个示例是IIS用于保护HTTP通信的SSL证书。 There is only one such store on the machine. 机器上只有一个这样的存储。

The personal store for LocalUser contains user certificates. LocalUser的个人存储中包含用户证书。 An example of such certificate is an S/MIME certificate used to sign email messages. 这种证书的一个示例是用于签名电子邮件的S / MIME证书。 Each user has his/her own store of this type. 每个用户都有自己的这种类型的商店。