Certificate Directory

A Windows public key infrastructure (PKI) saves certificates on the server that hosts the certification authority (CA) and on the local computer or device. CA storage is typically referred to as the certificate database, and local storage is known as the certificate store.

Certificate Database

When you add Certificate Services on a Windows server and configure a CA, a certificate database is created. By default, the database is contained in the %SystemRoot%\System32\Certlog folder, and the name is based on the CA name with an .edb extension. The database can contain:

  • Issued certificates
  • Revoked certificates
  • Archived private keys
  • Certificate requests

You cannot use the Certificate Enrollment API to manipulate the database. The enrollment process automatically creates the necessary entries.

Certificate Stores

Microsoft Certificate Services copies issued certificates and pending or rejected requests to local computers and devices. The storage location is called the certificate store and consists of the following logical stores.

Logical storeDescription


Contains certificates associated with a private key controlled by the user or computer.

Trusted Root Certification Authorities

Contains certificates from implicitly trusted certification authorities (CAs).

Enterprise Trust

Contains certificate trust lists typically used to trust self-signed certificates from other organizations.

Intermediate Certification Authorities

Contains certificates issued to subordinate CAs in the certification hierarchy.

Active Directory User Object

Contains the user object certificate or certificates published in Active Directory.

Trusted Publishers

Contains certificates from trusted CAs.

Untrusted Certificates

Contains certificates that have been explicitly identified as untrusted.

Third-Party Root Certification Authorities

Contains trusted root certificates from CAs outside the internal certificate hierarchy.

Trusted People

Contains certificates issued to users or entities that have been explicitly trusted.

Other People

Contains certificates issued to users or entities that have been implicitly trusted.

Certificate Enrollment Requests

Contains pending or rejected certificate requests.


You cannot use the Certificate Enrollment API to specify or retrieve store properties or copy certificates to specific stores.

Related topics

PKI Elements



Community Additions