Windows Certificate Store

Add to Windows Certificate Store (Local Computer)

Plugin type	Store
Download	Built-in
Compatibility	Windows

Description

Saves certificates to the Windows Certificate store. This will always import to the Computer store. Refer to the User Store plugin if you want to have a certificate in the User store.

Compatibility

For best compatiblitity with legacy applications, the program attempts to store certificates with RSA keys using the Microsoft RSA SChannel Cryptographic Provider. If you require a more modern approach to key storage, refer to the setting listed below.

Private key export

By default the private keys not exportable. This can be changed globally via the settings, but generally we recommend not doing this, because 99% of use cases should be manageable by using another (additional) store step. If you’re looking to move the certificate to another server, read more about migration to another server.

Command line

`--store certificatestore`	Activates the plugin
`‑‑certificatestore`	This setting can be used to save the certificate in a specific store. By default it will go to 'WebHosting' store on modern versions of Windows.
`‑‑keepexisting`	While renewing, do not remove the previous certificate.
`‑‑acl-fullcontrol`	List of additional principals (besides the owners of the store) that should get full control permissions on the private key of the certificate. Will not work when `UseNextGenerationCryptoApi` is set to `true`.
`‑‑acl-read`	List of additional principals (besides the owners of the store) that should get read permissions on the private key of the certificate. Will not work when `UseNextGenerationCryptoApi` is set to `true`.

Examples

Typical	`--store certificatestore [‑‑certificatestore My] [‑‑keepexisting] [‑‑acl-fullcontrol "network service,administrators"] [‑‑acl-read "myapp"]`

JSON

ID	`e30adc8e-d756-4e16-a6f2-450f784b1a97`

Settings

`Store.CertificateStore.DefaultStore`	The name of the certificate store to save the certificates in. Type: string Default: undefined (certificates will be installed either in the `"WebHosting"` store, or if that is not available, the `"My"` store (better known in the Microsoft Management Console as as `"Personal"`))
`Store.CertificateStore.PrivateKeyExportable`	If set to true, private keys stored in the Windows Certificate Store will be marked as exportable, allowing you to transfer them to other computers. Note that this setting doesn't apply retroactively but only to certificates issued from the moment that setting has changed. For tips about migration please refer to this page. Type: boolean Default: `false`
`Store.CertificateStore.UseNextGenerationCryptoApi`	If set to `true`, the program will use the Cryptography API: Next Generation (CNG) to handle private keys, instead of the legacy CryptoAPI. Note that enabling this option may make the certificates unusable or behave differently in subtle ways for software that only supports or assumes the key to exist in CryptoAPI. For example: It will not (fully) work for older versions of Microsoft Exchange (this might only become apparent when installing a service pack) It won't be exportable from the IIS Manager, even if `PrivateKeyExportable` is `true` (though it will be exportable from MMC). `--acl-read` and `--acl-fullcontrol` will not work Type: boolean Default: `false`

Looking for win-acme?

simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.