How Certificates Are Stored

Windows 2000 stores user certificates that contain the public keys in the Personal certificate store for the certificate owner's user account. A certificate provides assurance that the public key is bound to the specific subject (an individual or other entity) that owns the private key. Certificates are stored in plaintext because they are public information and they are digitally signed by certification authorities to protect against tampering. However, the private keys must be kept confidential so only the authorized owner has access to the private key.

Certificates are issued by certification authorities (CAs) which verify the identity of entities before issuing the certificates. EFS issues its own certificates if no CA is available. However, you can deploy Certificate Services to issue EFS certificates and provide the following benefits:

• Central certificate management and the publication of certificate revocation lists

• The ability to issue alternate recovery agent certificates to designated user accounts

Each user has a personal certificate store that contains certificates that are issued to that user. User certificates reside in Documents and Settings\< username >\ApplicationData\Microsoft\SystemCertificates\My\Certificates for each user profile. These certificates in the user profile are written to the user's personal store in the system registry each time the user logs on to the computer. For roaming profiles, the user's certificates are located on the domain controller so the certificates follow users when they log on to different computers in the domain.

You can use the Certificates console, a snap-in to Microsoft Management Console (MMC), to view a user's personal certificate stores. Figure 15.10. shows an example of a user's personal store. The certificate for EFS displays Encrypting File System in the Intended Purposes column. Because users can have more than one certificate that supports EFS user operations, multiple certificates can appear with "Encrypting File System" in the Intended Purposes column.

Figure 15.10 User Certificates in the Personal Certificate Store

Recovery agent certificates appear in the personal certificate store for the recovery agent account. Figure 15.11 shows an example of the personal certificate store for a recovery agent account.

Figure 15.11 Recovery Agent Certificates in the Personal Certificate Store

For more information about certificate stores and the Certificates console, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book. The recovery certificate displays "File Recovery" in the Intended Purposes column.

Recovery certificates also appear in the details pane of the Group Policy console (a snap-in to MMC) for the Encrypted Data Recovery Agents container, as shown in Figure 15.12. Multiple certificates can appear.

Figure 15.12 Recovery Agent Certificates in Recovery Policy

For more information about how to access the Encrypted Data Recovery Agents container and Group Policy, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.