Pull from "Computer Certificates" instead of "User Certificates"

[Josh-Weston]

I read through the API documentation, but could not find an explicit mention of this. I am looking for a way to specify that the certificates should be pulled from the Local Computer's certificates instead of the Current User's certificates (see snapshot).

[ukoloff]

You are right:

Only current user certificates are accessible using this method, not the local machine store.

(see the whole story).

I hope, the way to fetch computer's certificates exists. But should we mess with it?

For example, on my computer there are 59 User certificates and 58 Computer ones. I doubt someone ever installed 58 certificates into my user account. Not me. So, I think, Computer certificates are automagically included into User list by M$. Or not?

[joper30]

is possible read private key?

[ukoloff]

@joper30 It is theoretically possible, but clearly beyond of scope of win-ca. One needs more powerful tool for this purpose.

[joper30]

@joper30 It is theoretically possible, but clearly beyond of scope of win-ca. One needs more powerful tool for this purpose.

ohh, please , references?

[joper30]

please , is posible sign with certificate win-ca ?

[ukoloff]

I think, the easiest way is to use edge and run C# or PowerShell script to fetch private key (MSDN provides a log of examples). Unfortunately, edge seems unsupported but a fork exist, may be it works.

[macpraveen]

Is it possible to use this method to open local machine computer certificates ?
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore

Thanks

[sebastianfrey]

When running win-ca in an environment where the executing user is a System user, win-ca fails to pull the self signed certificates, since they are available through the System Certificates store and not the User Certificates store. In enterprise environments it is common practice, that services are executed as System user. So indeed it would be nice, to have the ability to specify from which store win-ca should read.