stackoom
  简体   繁体   中英

X509Store Location versus Store?

 原文  2016-08-26 12:25:37       c#/ .net/ windows/ certificate/ x509certificate

Question

I am using the X509Store in C# DotNet to traverse the certificate stores. However, I am not clear on what the difference is between a certificate location and a certificate store. For example, the locations are LocalUser and LocalMachine. Examples of Stores are My (Personal) and Root. What is the difference between the Personal store on LocalMachine versus Personal store on LocalUser? What does it even mean to have a Personal store on LocalMachine?

2 answers

solution1
 4  2016-08-27 16:50:58

There are a few purposed stores (C# name in bold, UI display name in parenthetical italics):

  • My ( Personal ): when searching for a leaf/end-entity certificate this store is usually what gets searched. This is usually the only store that has certificates with associated private keys.
    • If you browse to a site using client authentication certificates IE will choose candidate certs from the My store. (Forward reference: The location for this is CurrentUser)
    • When configuring IIS from a GUI it will show certificates from the My store. (Forward reference: The location for this is LocalMachine)
  • Root ( Trusted Root Certificate Authorities ): When doing a chained-trust decision, such as in TLS, if the other end of the chain is represented in this store then the original cert is trusted.
    • In addition to the certs explicitly in this store it exposes a virtual view over AuthRoot.
  • AuthRoot ( Third-Party Root Certification Authorities ): When registering an additional trusted root you "should" do it in the 3rd party store, for... reasons? While the LocalMachine one seems to work fine, the CurrentUser one seems to mostly be for show .
  • CertificateAuthority ( Intermediate Certificate Authorities , known as "CA" to the underlying system): This is a repository of known intermediate certificates. When doing a chain build the system will look for a parent here, then in Root, then maybe over the Internet. If the chain was trustworthy then the certs in the middle of the chain may be cached here for future lookups.
  • Disallowed ( Untrusted Certificates ): If a part of a certificate chain is found in this store, the chain is considered untrustworthy.
  • AddressBook ( Other People ): A collection of certificate that you know about. Yep, about that specific. It gets searched by some programs/libraries when trying to match a peer certificate. For example, a find-by-issuer-and-serial-number notice in SignedXml.

There are a couple more standard ones, you can read about them at TechNet . You can also create your own certificate store using the X509Store(string, StoreLocation) overload. (It's sometimes useful for managing applications, but the certificate manager UI gets a bit confused when you have private keys in a custom store; it expects them only in the My store).

So that's StoreName. StoreLocation is perhaps better thought of as "store owner". A standard user could decide that they trust certificates issued by some private CA, so they could add it to their Root store. Since it's their store it won't affect any other users on the system. The system itself also owns stores. For example, the TLS certificate for the computer really belongs to "the computer", and multiple administrators may be involved with managing it. Since it's pretty unusual to search through your friend's stuff, the StoreLocation comes down to "me, as a user" (CurrentUser) or "this computer" (LocalMachine) for which store to use.

Things get slightly murky now: On Windows almost every CurrentUser store (with a notable exception of the My store) exposes a view into the LocalMachine equivalent store. So when you enumerate the certificates in CurrentUser\\Root you're getting both the certificates explicitly added to CurrentUser\\Root and also the certificates explicitly added to LocalMachine\\Root. This can cause confusion since you can see a certificate when enumerating, call Remove with it as an argument, and it's still there when enumerating again.

In my experience, most interactions with cert stores are to the My store. At which point the decision tree comes down to something like this:

  • Am I a service with a dedicated user account?
    • new X509Store(StoreName.My, StoreLocation.CurrentUser)
  • Am I service without a dedicated user account?
    • new X509Store(StoreName.My, StoreLocation.LocalMachine)
  • Else
    • new X509Store(StoreName.My, StoreLocation.CurrentUser)

But that's a big generalization.

solution2
 1  2016-08-26 12:37:39

The personal store for LocalMachine contains machine certificates. An example of a certificate that lives in such store is a SSL certificate that is used by IIS to protect HTTP traffic. There is only one such store on the machine.

The personal store for LocalUser contains user certificates. An example of such certificate is an S/MIME certificate used to sign email messages. Each user has his/her own store of this type.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to correctly use X509Store? cordova plugin x509store Accessing the X509Store in Silverlight Cannot resolve symbol x509store Unable to Add certificate to X509Store .NET core X509Store on linux How to retrieve all certificates in your X509Store Frequent retrieval of certificates from X509Store Can't read CurrentUser certificates from X509Store SSL Certificate not in X509Store when uploaded to Azure Website
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM