Certificate Store Concepts

Certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs) are kept and maintained in a certificate store, and can be retrieved for use in authentication processes. Throughout this section, all references to certificates, unless otherwise noted, should be taken to include certificates, CRLs, and CTLs. A typical certificate store is a linked list of certificates as shown in the following diagram.

The previous illustration shows:

• Each certificate store has a pointer to the first certificate block in that store.
• A certificate block includes a pointer to that certificate's data and a 'next' pointer to the next certificate block in the store.
• The 'next' pointer in the last certificate block is set to NULL.
• The data block of a certificate contains the read only certificate context and any extended properties of the certificate.
• The data block of each certificate contains a reference count that keeps track of the number of pointers to the certificate that exist.

The certificates in a certificate store are normally kept in some kind of permanent storage such as a disk file or the system registry. Certificate stores can also be created and opened strictly in memory. This might be done to create temporary certificate storage while working with a group of certificates that does not need to be put into permanent storage. Additional store locations have been added to allow stores to be kept and searched in various parts of a local computer's registry or, with proper permissions set, in the registry on a remote computer.

Each user has a MY certificate store where that user's personal certificates and those certificates that the user most frequently uses may be kept. The MY store is currently persisted to a registry sub-key.

The use of certificates for authentication depends on having certificates that have been issued by some trusted certificate issuer. Certificates for the most trusted issuers that can be used to authenticate newly received certificates are normally kept in the ROOT store which is predefined and currently persisted to a registry sub-key. In CryptoAPI, the root store's contents are protected and special user interface (UI) controls the certificates that are added to the ROOT store. In enterprise network situations, the domain controller computer might copy most trusted issuer certificates to the ROOT stores of all its client computers.

Infrequently used certificates that should not be stored in the ROOT store may be stored in the certification authority (CA) store.

The certificate store is central to all certificate functionality. The certificates are managed in the store by using functions with a "Cert" prefix. For example code using some of these functions, see Example Code for Fundamental Certificate Store Operations.