Where are ie certificates stored

where are ie certificates stored

Manage Certificates and Certificate Stores A digital certificate is a data structure that stores someone's personal information such as a name or email address, together with this person's public key. This data is signed by a certification authority (CA) who issued the certificate.

A certificate can exist in a file or certificate store in the system registry.

It is highly recommended that you install the CertMgr.exe application as it will make the debugging of certificate-related applications easier. CertMgr.exe is included in the Microsoft Platform SDK CD ROM. If you are running IE 5.0, CertMgr.exe is already installed on your machine. To invoke it, open IE 5.0, go to Tools/Internet Options, select the Content tab and click the "Certificates" button.

Opening a Certificate Store Certificates stores are kept in the system registry under the keys HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates and HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates.

Each user has a MY certificate store which contains his/her personal certificates. The ROOT store contains certificates of the most trusted certification authorities. The CA store contains less frequently used certification authorities. The AddressBook store contains other people's certificates.

In AspEncrypt, a certificate store is represented by the CryptoStore object. An instance of this object is created via CryptoManager's OpenStore method, as follows:

Set Store = CM.OpenStore("MY", False )

The OpenStore method accepts two arguments: the name of the store and a flag specifying whether the store is located under the HKEY_LOCAL_MACHINE (if set to True ) or HKEY_CURRENT_USER (if set to False) section of the system registry. The following rule of thumb applies in most cases: if you are using AspEncrypt in a stand-alone application (such as a VB program) you should specify False for the second parameter. If AspEncrypt is used from an ASP or ISAPI application, you should specify True.

If the store name passed as the first parameter does not exist, the method will create it.

In an ASP environment, if anonymous access is enabled, an attempt to open a store will probably result in an Access Denied error. To avoid this error, impersonation of an admin account should be used, as follows:


Set CM = Server.CreateObject("Persits.CryptoManager")

CM.LogonUser "domainname", "adminuser",


Set Store = CM.OpenStore("MY", True)


For the LogonUser method to work successfully, the current user must have the "Act as Part of Operating System" privilege.

Enumerating Certificates in a Store

The CryptoStore object has a property, Store.Certificates. which returns the collection of CryptoCert objects which represent certificates residing in this store. The following code snippet enumerates all certificates in the ROOT store of the HKLM section of the registry:

Set Store = CM.OpenStore("ROOT", True)

For Each Cert in Store.Certificates

Response.Write Cert.Subject.Name & "<P>"



A more complete certificate store example can be found in the file Samples\cert_stores\certs.asp of the installation.

Examining Certificates using CertMgr.exe Run CertMgr.exe (included with IE 5.0 or available from Microsoft Platform SDK.) You will see a screen similar to this:

If you double-click on one of the certificates in the list, the certificate property sheet comes up:

Obtaining an Instance of the CryptoCert Object AspEncrypt provides the CryptoCert object to represent a certificate. There is a number of ways to obtain an instance of the CryptoCert object. We have already learned how to use the CryptoStore.Certificates collection to enumerate all certificates in a store. The Certificates collection also allows you to obtain individual certificate objects as well.

Just like any COM collection, Store.Certificates supports a default Item property which accepts an integer or string index. The string index specifies a certificate's serial number as displayed by the certificate property sheet shown above. For example, to obtain a CryptoCert object representing the Thawte Freemail Member certificate shown on the screenshot above, we can say:

Set CM = Server.CreateObject("Persits.CryptoManager")

Set Store = CM.OpenStore("MY", False)

Set Cert = Store.Certificates.Item("012E 78") ' Paste Serial Number here

Set Cert = Store.Certificates("012E78") ' No spaces is OK too

A CryptoCert object can also be created from a certificate stored in a file. There are two most commonly used file formats for storing certificates: DER-Encoded X.509 (.cer or .crt) and Cryptographic Message Syntax Standard PKCS #7 (.p7b). The DER-Encoded format can be in the binary or Base64-encoded form.

Source: www.aspencrypt.com

Category: Insurance

Similar articles: