A system store is a collection consisting of one or more physical sibling stores. For each system store, there are predefined physical sibling stores. After opening a system store such as MY at CERT_SYSTEM_STORE_CURRENT_USER, the store provider calls CertOpenStore to open each of the physical stores in the system store collection. In the open process, each of these physical stores is added to the system store collection using CertAddStoreToCollection. All of the certificates in those physical stores are available through the logical system store collection.
For each system store registry location, the predefined systems stores are:
MY
Root
Trust
CA
In registry location CERT_STORE_CURRENT_USER, there is also a predefined UserDS store. A smart card store is planned for this location.
CERT_SYSTEM_STORE_CURRENT_USER system stores are at registry location HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates.
The pre-defined physical stores associated with those system stores are:
| System Store | Physical Store |
|---|---|
| MY | .Default |
| Root | .Default |
| .LocalMachine | |
| Trust | .Default |
| .GroupPolicy | |
| .LocalMachine | |
| CA | .Default |
| .GroupPolicy | |
| .LocalMachine | |
| UserDS | .UserCertificate |
CERT_SYSTEM_LOCAL_MACHINE system stores are at registry location HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates.
The pre-defined physical stores are associated with those system stores are
| System Store | Physical Store |
|---|---|
| MY | .Default |
| Root | .Default |
| .GroupPolicy | |
| Trust | .Default |
| .GroupPolicy | |
| CA | .Default |
| .GroupPolicy |
CERT_SYSTEM_STORE_CURRENT_SERVICE are at registry location HKEY_LOCAL_MACHINE\Software\Microsoft\Crytography\Services\<ServiceName>\SystemCertificates.
The pre-defined physical stores associated with those system stores are:
| System Store | Physical Store |
|---|---|
| MY | .Default |
| Root | .Default |
| .LocalMachine | |
| Trust | .Default |
| .LocalMachine | |
| CA | .Default |
| .LocalMachine |
CERT_SYSTEM_STORE_SERVICES system stores are at registry location HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services\<ServiceName>\SystemCertificates.
The pre-defined physical stores associated with those system stores are:
| System Store | Physical Store |
|---|---|
| ServiceName\MY | .Default |
| ServiceName\Root | .Default |
| .LocalMachine | |
| ServiceName\Trust | .Default |
| .LocalMachine | |
| ServiceName\CA | .Default |
| .LocalMachine |
CERT_SYSTEM_STORE_USERS system stores are at registry location HKEY_USERS\<UserName>\Software\Microsoft\SystemCertificates.
The pre-defined physical stores associated with those system stores are:
| System Store | Physical Store |
|---|---|
| userid\MY | .Default |
| .LocalMachine | |
| userid\Root | .Default |
| .LocalMachine | |
| userid\Trust | .Default |
| .LocalMachine | |
| userid\CA | .Default |
| .LocalMachine |
CERT_SYSTEM_CURRENT_USER_GROUP_POLICY system stores are at registry location HKEY_CURRENT_USER\Software\Policy\Microsoft\SystemCertificates.
CERT_SYSTEM_LOCAL_MACHINE_GROUP_POLICY system stores are at registry location HKEY_LOCAL_MACHINE\Software\Policy\Microsoft\SystemCertificates.
The pre-defined physical stores associated with those system stores are:
| System Store | Physical Store |
|---|---|
| MY | .Default |
| Root | .Default |
| Trust | .Default |
| CA | .Default |
Additional physical stores can be associated with a system store using CertRegisterPhysicalStore.
CERT_SYSTEM_STORE_SERVICE and CERT_SYSTEM_STORE_USERS stores are opened by prefixing the name of the store in the string passed to pvPara with the service or user name such as "ServiceName\Trust" or ".Default\MY." For Microsoft® Windows NT®, the CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS location can open the same store in CERT_SYSTEM_CURRENT_SERVICE or CERT_SYSTEM_CURRENT_USER by using the textual SID of the current service or user. For Windows® 95, the string returned by GetUserName is used.
Stores in CERT_SYSTEM_STORE_USER_GROUP_POLICY and CERT_SYSTEM_LOCAL_MACHINE_GROUP_POLICY in a network setting are downloaded to the client machine from the Group Policy Template (GPT) during machine startup or user logon. These stores may be updated on the client computer after startup or logon when the GPT is changed on the domain server by an administrator. The CertControlStore function allows an application to be notified when stores in either of these locations have changed.
The following system store locations can be opened remotely:
CERT_SYSTEM_STORE_LOCAL_MACHINE
CERT_SYSTEM_STORE_SERVICES
CERT_SYSTEM_STORE_USERS
CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
System store locations are opened remotely by prefixing the store name in the string passed to pvPara with the computer name. Examples of remote system store names are:
ComputerName\CA
\\ComputerName\CA
ComputerName\ServiceName\Trust
\\ComputerName\ServiceName\Trust