Where are certificate private keys stored in Windows 7?
Using the certmgr.msc
utility, I can access the windows cert store, but I still can't figure out where Windows stores the private keys.
For example for a given certificate, Windows tells me that there is a private key associated with this certificate. But where I can I physically find it ?
The keys are stored via Microsoft's Cryptography API: Next Generation (CNG).
Storage locations:
- User private:
%APPDATA%\Microsoft\Crypto\Keys
- Local system private:
%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\SystemKeys
- Local service private:
%WINDIR%\ServiceProfiles\LocalService
- Network service private:
%WINDIR%\ServiceProfiles\NetworkService
- Shared private:
%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys
Description:
CNG provides a model for private key storage that allows adapting to the current and future demands of creating applications that use cryptography features such as public or private key encryption, as well as the demands of the storage of key material. The key storage router is the central routine in this model and is implemented in Ncrypt.dll. An application accesses the key storage providers (KSPs) on the system through the key storage router, which conceals details, such as key isolation, from both the application and the storage provider itself. The following illustration shows the design and function of the CNG key isolation architecture.
Source
Note:
As noted by Tim G, the keys are not readable at file level because they are encrypted in the process of storing them via the CNG API.