System Store Locations

A system store is a collection consisting of one or more physical sibling stores. For each system store, there are predefined physical sibling stores. After opening a system store such as MY at CERT_SYSTEM_STORE_CURRENT_USER, the store provider calls CertOpenStore to open each of the physical stores in the system store collection. For each system store location, the predefined systems stores are:

  • MY
  • Root
  • Trust
  • CA

In CERT_SYSTEM_STORE_CURRENT_USER, there is also a predefined UserDS store. A smart card store is planned for this location.

CERT_SYSTEM_STORE_CURRENT_USER system stores are at registry location HKEY_CURRENT_USER\Comm\Security\SystemCertificates.

The predefined physical stores associated with those system stores are as follows.

System store Physical store
MY .Default
Root .Default
.LocalMachine
Trust .Default
.LocalMachine
CA .Default
.LocalMachine

CERT_SYSTEM_LOCAL_MACHINE system stores are at registry location HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates.

The predefined physical stores are associated with those system stores are as follows.

System store Physical store
MY .Default
Root .Default
Trust .Default
CA .Default

For Windows CE .NET 4.2 and later, the system root store is initialized with the most common public certificate authority in sysroots.p7b file. The following code example shows the default registry value:

[HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Root]
   "InitFile"="\windows\sysroots.p7b"

Adding Certificates to System Stores

For Windows CE .NET 4.2 and later, the addition of PKCS #7 format allows an easier way to add certificates to system stores. Only OEMs can add certificates to system stores using the registry. Application developers cannot use this procedure.

To initialize the system certificate stores with a set of certificates

  1. Create a list of authority certificates as a PKCS#7 formatted file.

  2. Add the file to the Windows CE-based platform by editing the project.bib file.

  3. Add the registry value to the project.reg file.

    The registry value is InitFile in HKEY_CURRENT_USER\Comm\Security\SystemCertificates\Root registry subkey. The InitFile specifies the local path and the name of the PCKS#7 formatted file.

    For example, to initialize the current user root store with the file userroots.p7b, add the following code to the project.reg file:

    [HKEY_CURRENT_USER\Comm\Security\SystemCertificates\Root]
       "InitFile"="\windows\userroots.p7b"
    

    To initialize the local machine store, with the same file, add the following code to the project.reg file:

    [HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Root]
       "InitFile"="\windows\userroots.p7b"
    

    To initialize other system stores, replace the last path of the subkey with the name of the store. For example, to initialize the local machine CA store with certs.p7b, add the following code to the project.reg file:

    [HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\CA]
       "InitFile"="\windows\certs.p7b"
    

On first use of a CryptoAPI to access the system certificate store by an application, the CryptoAPI initializes the store using the specified file in the registry. After initialization, the registry value is deleted so that initialization does not repeat.

See Also

Managing Certificates with Certificate Stores | Cryptography | Certificates | Enrolling for a Certificate

 Last updated on Thursday, April 08, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.