Certificates Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certificate Tools and Settings

In this section

  • Certificate Tools

  • Certificate Registry Entries

  • Certificate Group Policy Settings

Certificate Tools

The following tools are associated with certificates.

Certmgr.msc: Certificates Snap-in

Category

Certificates is a Microsoft Management Console (MMC) snap-in that ships with Windows Server 2003 and Windows 2000 Server.

Version compatibility

Certificates is compatible with Windows Server 2003 and Windows 2000 Server, and can be used to manage the certificate stores for users, computers, and services on computers running Windows Server 2003, Windows XP, and Windows 2000.

You can use Certificates to:

  • View information about certificates, such as certificate contents and the certification path.

  • Import certificates into a certificate store.

  • Move certificates between certificate stores.

  • Export certificates and, optionally, export private keys (if key export is enabled).

  • Delete certificates from certificate stores.

  • Request certificates from an enterprise certification authority (CA) for the Personal certificate store.

    Note

    • The ability to perform some tasks will depend on the capabilities of the PKI configuration and environment.

To find more information about the “Certificates” snap-in, see “Certificates” on Microsoft TechNet.

Certtempl.msc: Certificate Templates Snap-in

Category

Certificate Templates is an MMC snap-in that ships with Windows Server 2003.

Version compatibility

Certificate Templates only runs on Windows XP and Windows Server 2003, but can be used to manage certificate templates in a Windows 2000 Active Directory environment.

Certificate Templates enables administrators to duplicate, rename, and manage certificate templates. In Windows Server 2003, Certificate Templates also enables you to modify existing certificate template properties — such as certificate validity period, renewal period, cryptographic service providers (CSPs), key size, and key archival.

In addition, administrators or users with the appropriate permissions can use Certificate Templates to establish and apply enrollment policies (including autoenrollment), issuance policies, and application policies.

For more information about the Certificate Templates snap-in, see “Certificate Templates How to” on Microsoft TechNet.

Certreq.exe: Certreq

Category

Certreq is a command-line tool that ships with the Windows Server 2003 operating system tools and with the Windows Server 2003 Adminpak

Version compatibility

Certreq is compatible with Windows Server 2003 and Windows 2000 Server, and can be used to manage the certificate stores for users, computers, and services on computers running Windows Server 2003, Windows XP, and Windows 2000.

Certreq enables you to submit, retrieve, create, and accept certificate requests that are sent to a Windows Server 2003 CA. You can also use Certreq to create and sign requests for cross-certificates. You can also place the Certreq command syntax in a batch file to script certificate requests.

To find more information about Certreq, see “Command-Line References” in Tools and Settings Collection.

Certutil.exe: Certutil

Category

Certutil is a command-line tool that is installed as part of Certificate Services.

Version compatibility

Certutil can be used on Windows Server 2003 and Windows 2000 Server CAs.

You can use Certutil to extract and display CA configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

To find more information about Certutil, see “Command-Line References” in Tools and Settings Collection.

Certificate Registry Entries

Certificate-related registry entries correlate to the physical view of the certificate-related data that can be viewed by using the Certificates snap-in.

The following registry keys are associated with certificates:

  • HKEY_Current_User\Software\Microsoft contains data about user certificates that have not been distributed by using Group Policy.

  • HKEY_Current_User\Software\Policies\Microsoft contains data and settings for user certificates that have been distributed by using Group Policy.

  • HKEY_Local_Machine\Software\Microsoft contains data about computer certificates that have not been distributed using Group Policy.

  • HKEY_Local_Machine\Software\Policies\Microsoft contains data and settings for computer certificates that have been distributed by using Group Policy.

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as MMC, to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

HKEY_Current_User\Software\Microsoft

HKEY_Current_User\Software\Microsoft contains registry settings for user certificates that have been distributed by means other than Group Policy. These settings are stored in the following subkeys:

  • HKEY_Current_User\Software\Microsoft\Cryptography

  • HKEY_Current_User\Software\Microsoft\SystemCertificates

HKEY_Current_User\Software\Microsoft\Cryptography

The following registry entries are located under HKEY_Current_User\Software\Microsoft\Cryptography.

Autoenrollment
Registry path

HKEY_Current_User\Software\Microsoft\Cryptography\

Version

Windows Server 2003, Windows 2000, and Windows XP

This setting is used to manage event logging and cached directory service data when user certificate autoenrollment has been enabled.

AEExpress
Registry path

HKEY_Current_User\Software\Microsoft\Cryptography\Autoenrollment

Version

Windows Server 2003 and Windows XP

You can add AEExpress on a per-user basis if the default 60-second delay is not desired. With this registry setting, the autoenrollment balloon UI appears at each logon or Group Policy refresh interval.

Note

Using this subkey in a normal production environment is not recommended. If it is used, it must be created on a per-user basis. Computer certificates do not support user interaction and should not be configured to require this setting.

HKEY_Current_User\Software\Microsoft\SystemCertificates

The following registry subkeys are located under SystemCertificates. The majority contain binary large objects that pertain to:

  • Certificates. These entries identify the certificates associated with the registry entry.

  • CRLs. These entries identify the certificate revocation lists (CRLs) associated with the registry entry.

  • CTLs. These entries identify the certificate trust lists (CTLs) associated with the registry entry.

Additional subkeys — which might appear under some registry subkeys — will be detailed below under the registry subkeys that they correspond to.

ACRS
Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows 2000 and Windows XP

Automatic Certificate Request Settings (ACRS) in Group Policy is used by Windows 2000 to specify certificates to autoenroll. This registry setting has been replaced in Windows XP and Windows Server 2003 by certificate template autoenrollment. ACRS is still available for backward compatibility, but is not supported for user certificates.

AddressBook
Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AddressBook contains data about certificates, CRLs, and CTLs relating to people. Unlike certificates registered in the TrustedPeople container, these certificates are not explicitly trusted.

AuthRoot
Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AuthRoot contains data about certificates, CRLs, and CTLs from non-Microsoft root CAs.

CA
Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

CA contains data about certificates, CRLs, and CTLs from intermediate CAs.

Disallowed
Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Disallowed contains data about disallowed certificates. For example, this store will contain data about certificates that have been rejected as untrustworthy during the Authenticode software installation process.

My
Registry path

HKEY_Current_User\Software\ Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

My contains data about a user’s personal certificates. However, physical storage of this data for the user, which is viewable by using the Certificates snap-in, has been moved to the following Documents and Settings folder:

Application Data\Microsoft\SystemCertificates

REQUEST
Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows 2000, and Windows XP

REQUEST contains data about pending certificate requests. When a pending certificate request has been approved or rejected, this registry data is removed. Data about pending certificate requests is also stored for the user in the following Documents and Settings folder:

Application Data\Microsoft\SystemCertificates\My

Root
Registry path

HKEY_Current_User\Software\ Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Root contains data about trusted root CA certificates, CRLs, and CTLs.

trust
Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Trust contains data about enterprise trust certificates, CRLs, and CTLs.

TrustedPeople
Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

TrustedPeople contains data about certificates from other users where there is explicit trust.

TrustedPublisher
Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

TrustedPublisher contains data about certificates that have been explicitly accepted as trustworthy. For example, it will contain data about certificates that are accepted as trustworthy during the Authenticode software installation process.

HKEY_Current_User\Software\Policies\Microsoft

HKEY_Current_User\Software\Policies\Microsoft contains registry settings for user certificates that have been distributed by using Group Policy. These settings are stored in the following subkeys:

  • HKEY_Current_User\Software\Policies\Microsoft\Cryptography

  • HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

HKEY_Current_User\Software\Policies\Microsoft\Cryptography

This set of registry entries is used when Group Policy-based autoenrollment is used to manage the availability of user certificates.

Autoenrollment
Registry path

HKEY_Current_User\Software\Policies\Microsoft\Cryptography

Version

Windows Server 2003, Windows XP, and Windows 2000

Autoenrollment implements Group Policy for autoenrollment of user certificates.

AEEventLogLevel
Registry path

HKEY_Current_User\Software\Policies\Microsoft\Cryptography\Autoenrollment\

Version

Windows Server 2003 and Windows XP

AEEventLogLevel enables enhanced logging of autoenrollment processes for users.

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

The following registry entries are located under SystemCertificates. The majority contain binary large objects that pertain to:

  • Certificates. These entries identify the certificates associated with the registry entry.

  • CRLs. These entries identify the CRLs associated with the registry entry.

  • CTLs. These entries identify the CTLs associated with the registry entry.

Additional subkeys — which might appear under some registry subkeys — will be detailed below under the registry subkeys that they correspond to.

AddressBook
Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AddressBook contains data about certificates, CRLs, and CTLs relating to other people. Unlike certificates registered in the TrustedPeople container, these certificates are not explicitly trusted.

AuthRoot
Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AuthRoot contains data about certificates, CRLs, and CTLs from third-party root CAs.

CA
Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

CA contains data about certificates, CRLs, and CTLs from intermediate CAs.

Disallowed
Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Disallowed contains data about disallowed certificates. For example, it will contain data about certificates that are rejected as untrustworthy during the Authenticode software installation process

EFS
Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

EFS contains data about certificates enabling the encrypting file system for the user.

root
Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Root contains data about trusted root CA certificates, CRLs, and CTLs.

trust
Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Trust contains data about enterprise trust certificates, CRLs, and CTLs

TrustedPeople
Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

TrustedPeople contains data about certificates from other users where there is explicit trust.

TrustedPublisher
Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

TrustedPublisher contains data about certificates that have been explicitly accepted as trustworthy. For example, this store will contain data about certificates that are accepted as trustworthy during the Authenticode software installation process.

HKEY_Local_Machine\Software\Microsoft

HKEY_Local_Machine\Software\Microsoft contains registry settings for computer certificates that have been distributed by means other than Group Policy. These settings are stored in the following subkeys:

  • HKEY_Local_Machine\Software\Microsoft\Cryptography

  • HKEY_Local_Machine\Software\Microsoft\SystemCertificates

HKEY_Local_Machine\Software\Microsoft\Cryptography

AutoEnrollment
Registry path

HKEY_Local_Machine\Software\Microsoft\Cryptography

Version

Windows Server 2003 and Windows XP

This setting is used to manage event logging level and cached directory service data when computer certificate autoenrollment has been enabled.

Calais
Registry path

HKEY_Local_Machine\Software\Microsoft\Cryptography

Version

Windows Server 2003, Windows XP, and Windows 2000

Calais contains settings that enable various vendors’ smart cards and smart card readers.

Defaults
Registry path

HKEY_Local_Machine\Software\Microsoft\Cryptography

Version

Windows Server 2003, Windows XP, and Windows 2000

Contains information about different specific and generic CSPs listed in the Provider and Provider Types categories.

IEDirtyFlags
Registry path

HKEY_Local_Machine\Software\Microsoft\Cryptography

Version

Windows versions prior to Windows 2000

This legacy setting was used to record certificates and keys that are incompletely removed from Internet Explorer.

OID
Registry path

HKEY_Local_Machine\Software\Microsoft\Cryptography

Version

Windows Server 2003, Windows XP, and Windows 2000

OID is the hive used by the CryptRegisterOIDFunction, CryptRegisterDefaultOIDFunction, and CryptRegisterOIDInfo application programming interfaces (APIs) to register data.

Protect
Registry path

HKEY_Local_Machine\Software\Microsoft\Cryptography

Version

Windows Server 2003, Windows XP, and Windows 2000

You can use Protect to define providers for use with the ProtectedStorage service.

RNG
Registry path

HKEY_Local_Machine\Software\Microsoft\Cryptography

Version

Windows Server 2003, Windows XP, and Windows 2000

RNG is used by the Windows Random Number Generator to enhance random number generation from one computer startup to another.

Services
Registry path

HKEY_Local_Machine\Software\Microsoft\Cryptography

Version

Windows Server 2003, Windows XP, and Windows 2000

Services identifies the predefined physical stores for certificates associated with Windows services.

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

AddressBook
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AddressBook contains data about certificates, CRLs, and CTLs relating to other people. Unlike certificates registered in the TrustedPeople container, these certificates are not explicitly trusted

AuthRoot
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AuthRoot contains data about certificates, CRLs, and CTLs from non-Microsoft root CAs.

CA
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

CA contains data about certificates, CRLs, and CTLs from intermediate CAs.

Disallowed
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Disallowed contains data about disallowed certificates. For example, it will contain data about certificates that are rejected as untrustworthy during the Authenticode software installation process.

My
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

My contains data about the certificates, CRLs, CTLs, and private keys associated with a computer account.

Recovery
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003 and Windows XP

Recovery stores the certificate for a user’s password reset disk.

REQUEST
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

REQUEST contains data about pending certificate requests. When a pending certificate request has been approved or rejected, this registry information is removed.

ROOT
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

ROOT contains data about trusted root CA certificates, CRLs, and CTLs.

SPC
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Not supported

SPC is a legacy registry store that was used by Internet Explorer 3.0 for migrating Software Publisher Certificates. It is no longer used.

trust
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Trust contains data about enterprise trust certificates, CRLs, and CTLs.

TrustedPeople
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

TrustedPeople contains data about certificates from other users where there is explicit trust.

TrustedPublisher
Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

TrustedPublisher contains data about certificates that have been explicitly accepted as trustworthy. For example, this store will contain data about certificates that are accepted as trustworthy during the Authenticode software installation process.

HKEY_Local_Machine\Software\Policies\Microsoft

HKEY_Local_Machine\Software\Policies\Microsoft contains registry settings for computer certificates that have been distributed by using Group Policy. These settings are stored in the following subkeys:

  • HKEY_Local_Machine\Software\Policies\Microsoft\Cryptography

  • HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

HKEY_Local_Machine\Software\Policies\Microsoft\Cryptography

Autoenrollment
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\Cryptography

Version

Windows Server 2003 and Windows XP

Autoenrollment implements Group Policy for autoenrollment of computer certificates. The default autoenrollment behavior is as follows:

Approximately 60 seconds after logon, the balloon UI is displayed. If no user interaction is explicitly defined on the certificate template, no UI will be displayed to the user. This delay is incorporated to enable speedy application and shell response times during the logon and starting of the client computer.

AEEventLogLevel
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\Cryptography\Autoenrollment

Version

Windows Server 2003 and Windows XP

AEEventLogLevel enables enhanced logging of autoenrollment processes for computers.

HKEY_Local_Machine\Software\Policies\Microsoft\System Certificates

The following registry entries are located under SystemCertificates. The majority contain binary large objects that pertain to:

  • Certificates. These entries identify the certificates associated with the registry entry.

  • CRLs. These entries identify the CRLs associated with the registry entry.

  • CTLs. These entries identify the CTLs associated with the registry entry.

Additional subkeys — which might appear under some registry subkeys — will be detailed below under the registry subkeys that they correspond to.

ACRS
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows 2000 and Windows XP

Automatic Certificate Request Settings (ACRS) in Group Policy is used by Windows 2000 to specify certificates to autoenroll. This registry setting has been replaced in Windows XP and Windows Server 2003 by certificate template autoenrollment; however, ACRS is still supported for backward compatibility.

AddressBook
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AddressBook contains data about certificates, CRLs, and CTLs relating to other people. Unlike certificates registered in the TrustedPeople container, these certificates are not explicitly trusted.

AuthRoot
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AuthRoot contains data about certificates, CRLs, and CTLs from non-Microsoft root CAs.

ca
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Ca contains data about certificates, CRLs, and CTLs from intermediate CAs.

Disallowed
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Disallowed contains data about disallowed certificates. For example, it will contain data about certificates that are rejected as untrustworthy during the Authenticode software installation process.

EFS
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

EFS contains data about certificates, CRLs, and CTLs that enable the use of Encrypting File System (EFS) on the computer.

Root
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Root contains data about trusted root CA certificates, CRLs, and CTLs.

Trust
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Trust contains data about enterprise trust certificates, CRLs, and CTLs.

TrustedPeople
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

TrustedPeople contains data about certificates from other users where there is explicit trust.

TrustedPublisher
Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

TrustedPublisher contains data about certificates that have been explicitly accepted as trustworthy. For example, it will contain data about certificates that are accepted as trustworthy during the Authenticode software installation process.

Certificate Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with certificates.

Group Policy Settings Associated with Certificates

Group Policy Setting Description

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Autoenrollment

Can be used to enroll certificates automatically, renew expired certificates, update pending certificates, and remove certificates that have been revoked. In addition, this setting can be used to block certificate autoenrollment.

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Can be used to add or create a data recovery agent for use with EFS.

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings

Can be used to configure automatic certificate request settings for a specific certificate template for a domain by using the Automatic Certificate Request Setup Wizard. The request will be processed automatically at the first occurrence of any of the following: a user logs on, Group Policy is refreshed, or a computer joins the domain and is subject to a Group Policy setting.

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

Can be used to add a new trusted root CA certificate to a Group Policy object (GPO) for a domain. For a root CA certificate to be imported, the root certificate must be in a PKCS #12 file, in a PKCS #7 file, or in binary-encoded X.509 v3 certificate files.

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Enterprise Trust

Can be used to add a new enterprise trust policy to a GPO for a domain. You do this by using the Certificate Trust List Wizard to create a new CTL for the GPO or assigning an existing CTL to the GPO. Acceptable file formats from which you can import a certificate are:

  • X.509 v3 certificate files (.cer, .crt)

  • PKCS #7 files (.spc, .p7b)

  • Microsoft serialized certificate stores (.sst)

To find more information about these Group Policy settings, see “Group Policy Settings Reference” in the Tools and Settings Collection.