Windows 2000 Certificate Services and Public Key Infrastructure

Certificates Console

The Certificates console is an MMC snap-in, which you can use to manage the certificate stores for users, computers, and services.

You can use the Certificates console to perform the following tasks:

View information about certificates, such as certificate contents and the certification path.
Import certificates into a certificate store.
Move certificates between certificate stores.
Export certificates and, optionally, export private keys (if key export is enabled).
Delete certificates from certificate stores.
Request certificates from an enterprise CA for the Personal certificate store.

For more information about how to use the Certificates console to do these tasks, see Certificate Manager Help.

To add a Certificates console to MMC

Open MMC.
Click Console, and then click Add/Remove Snap-in.
– Or –

Press CTRL+M.

The Add/Remove Snap-in dialog box appears.
Click Add.
The Add Standalone Snap-in dialog box appears.
Select Certificates from the list of snap-ins, and then click Add.
The Certificates Snap-in dialog box appears.
Select one of the following accounts:
- My user account
- Service account
- Computer account
The Certificates console manages the certificate stores for this account.
Click Next.
If you selected My user account, the Add Standalone Snap-in dialog box appears. You can click Add to add another snap-in.

If you selected Service account or Computer account, the Select Computer dialog box appears. To manage the local computer, click Next. To manage another computer, either type the domain name of the computer in Another computer, or click Browse to select the computer from a list. Then click Next.

If you selected Computer account, the Add Standalone Snap-in dialog box appears. You can click Add to add another snap-in.

If you selected Service account, the Certificates Snap-in dialog box appears. Select a service from the Services account list, and click Finish. When the Add Standalone Snap-in dialog box appears, you can click Add to add another snap-in.
When you are finished adding snap-ins, in the Add Standalone Snap-in dialog box, click Close.
The Add/Remove Snap-in dialog box appears and displays the snap-ins that you are installing in MMC.
In the Add/Remove Snap-in dialog box, click Close.

Figure 16.4 shows an example of three Certificates console nodes that have been added to MMC. The first Certificates console node manages certificates for the logged on user. The second Certificates console node manages certificates for the World Wide Web Publishing service for the local computer. The third Certificates console node manages certificates for the local computer itself.

Enlarge figure

Figure 16.4 Certificates Console

The Certificates console nodes in Figure 16.4 have been expanded to show the logical certificate stores. This is called the Logical display mode. You also have the option of viewing certificates by their physical stores or by their purpose.

To change the display mode, select the Certificates console (such as the Certificates - Current User console). Click View and then click Options. When the View Options dialog box appears, you can choose from the display mode options that are described in Table 16.3.

Table 16.3 View Options Dialog Box

Option	Description
Certificate purpose	Select this option to view certificates in the Purposes display mode, in which certificates are grouped by the intended purpose of the certificates, such as Encrypting File System, File Recovery, and Code Signing.
Logical certificate stores	Select this option to view certificates in the Logical display mode, in which certificates are grouped by the logical store where they are located. This is the default display mode.
Physical certificate stores	Select this option to view the physical stores in addition to the logical stores. This option is available for the Logical display mode only.
Archived certificates	Select this option to view archived certificates. When certificates expire or are renewed, Windows 2000 maintains archives of the certificates and their private keys. Retaining archived certificates is recommended because you might need to use the certificate and its private key later. For example, you might have to verify digital signatures for old documents that were signed with a key for a currently expired or renewed certificate.