Windows XP stores a certificate locally on the computer or device that requested it or, in the case of a user, on the computer or device that the user used to request it. The storage location is called the certificate store A certificate store will often have numerous certificates, possibly issued from a number of a different certification authorities
Using the Certificates snap-in, you can display the certificate store for a user, a computer, or a service according to the purpose for which the certificates were issued or by using their logical storage categories. When you display certificates according to their storage categories, you can also choose to display the physical stores, showing the certificate storage hierarchy. (This is recommended for advanced users only.)
If you have the user rights to do so, you can import or export certificates from any of the folders in the certificate store. Additionally, if the private key associated with a certificate is marked as available for export, you can export both into a PKCS #12 file.
Windows can also publish certificates to Active Directory Publishing a certificate in Active Directory enables all users or computers with adequate permissions to retrieve the certificate as needed.
Certificates can be displayed by purpose or by logical stores, as shown in the following table. Displaying certificates by logical stores is the Certificates default. (Note that the list of certificate purpose stores does not include all the possible purpose stores.)
Certificates associated with private keys to which you have access. These are the certificates that have been issued to you, or to the computer or service for which you are managing certificates.
Note to administrators: Computers in a Windows 2000 Active Directory domain can have certificates automatically placed in this store through the use of Group Policy-based autoenrollment. See Automatic certificate request settings
Trusted Root Certification Authorities
Implicitly trusted certification authorities. Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your organization and Microsoft.
If you are an administrator and want to add third-party certification authority certificates to this store for all computers in a Windows 2000 Active Directory domain, you can use Group Policy to distribute trusted root certificates to your organization. See Trusted root certification authority policy
A container for certificate trust lists. A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted. For more information about Enterprise trust see Enterprise trust policy
Intermediate Certification Authorities
Certificates issued to subordinate certification authorities.
Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook.
Certificates issued to people or end entities that are implicitly trusted. These certificates must be part of a trusted certification hierarchy. Most often these are cached certificates for services like Encrypting File System, where certificates are used for creating authorization for decrypting an encrypted file.
Certificates from certification authorities that are trusted by Software Restriction policies.
These are certificates that you have explicitly decided not to trust using either Software Restriction policy or by clicking "Do not trust this certificate" when the decision is presented to you in mail or a Web browser.
Third-Party Root Certification Authorities
Trusted root certificates from certification authorities other than Microsoft and your organization.
Certificate Enrollment Requests
Pending or rejected certificate requests.
Active Directory User Object
Certificates associated with your user object and published in Active Directory.
Certificates that server programs use to authenticate themselves to clients.
Certificates that client programs use to authenticate themselves to servers.
Certificates associated with key pairs used to sign active content.
Certificates associated with key pairs used to sign e-mail messages.
Encrypting File System
Certificates associated with key pairs that encrypt and decrypt the symmetric key used for encrypting and decrypting data by the encrypting file system.
Certificates associated with key pairs that encrypt and decrypt the symmetric key used for recovering encrypted data by the encrypting file system.
When you look at the contents of a certificate store in Logical Store mode, you will occasionally see what appears to be two copies of the same certificate in the store. This occurs because the same certificate is stored in separate physical stores under a logical store, such as the Registry and Enterprise physical stores under the Trusted Root Certification Authorities logical store. When the contents of the physical certificates stores are combined into one logical store view, both instances of the same certificate are displayed.
You can verify this by setting the view option to show the physical certificate stores and then noting that the certificate is stored in separate physical stores under the same logical store. You can verify that it is the same certificate by comparing the serial numbers.
For more information, see Generating encryption keys and certificate requests, Importing and exporting certificates, To display certificate stores in Purpose mode, To display certificate stores in Logical Store mode, To display archived certificates, To display certificate stores storage structure