Skip to content
QCecuring

Windows Certificate Store Scanner

The Windows Certificate Store Scanner enumerates certificates from the Windows CryptoAPI stores, covering both Local Machine and Current User locations.

What It Scans

Section titled “What It Scans”

Windows Certificate Store locations and their named stores — including personal certificates (My), trusted roots (Root), intermediate CAs (CA), and enterprise trust stores.

How It Works

Section titled “How It Works”
  1. Connects to the Windows CryptoAPI
  2. Opens each configured store location (LocalMachine, CurrentUser)
  3. Enumerates all certificates in each named store
  4. Extracts full X.509 certificate properties
  5. Records the store location and store name for each certificate

This scanner requires Windows and uses native CryptoAPI calls. It will not function on Linux or macOS.

Configuration

Section titled “Configuration”
scanners:
  windows-certstore:
    - storeLocation: LocalMachine
      stores:
        - My
        - Root
        - CA
        - Trust
    - storeLocation: CurrentUser
      stores:
        - My
ParameterRequiredDefaultDescription
storeLocationYesLocalMachine or CurrentUser
storesYesList of store names to scan

Common store names:

StoreContents
MyPersonal certificates (server certs, client certs)
RootTrusted Root Certification Authorities
CAIntermediate Certification Authorities
TrustEnterprise Trust certificates
DisallowedUntrusted/revoked certificates

Assets Produced

Section titled “Assets Produced”
Asset TypeWhat’s Captured
certificatesubject, issuer, serialNumber, signatureAlgorithm, validity dates, keyUsage, SAN, store location, store name, has private key
public-keyAlgorithm, key size (extracted from certificate)

Deduplication

Section titled “Deduplication”

Certificates are deduplicated using SHA-256 of DER-encoded certificate bytes. If the same certificate exists in multiple stores (e.g., both LocalMachine\My and CurrentUser\My), it appears once in inventory with all store locations referenced.

Use Cases

Section titled “Use Cases”
  • Inventory all certificates on Windows servers, including IIS bindings and service certificates
  • Audit trusted root CAs — find unauthorized or outdated root certificates
  • Discover certificates with private keys that may need protection or rotation
  • Track enterprise CA certificates deployed via Group Policy

Example Output

Section titled “Example Output”
{
  "type": "certificate",
  "fingerprint": "sha256:e5f6a7b8c9d0...",
  "subject": "CN=webserver.corp.example.com",
  "issuer": "CN=Corp Issuing CA, O=Example Corp",
  "serialNumber": "4a:00:00:0c:...",
  "signatureAlgorithm": "SHA256withRSA",
  "notValidBefore": "2024-02-01T00:00:00Z",
  "notValidAfter": "2025-02-01T00:00:00Z",
  "hasPrivateKey": true,
  "keyUsage": ["digitalSignature", "keyEncipherment"],
  "san": ["webserver.corp.example.com"],
  "source": {
    "scanner": "windows-certstore",
    "storeLocation": "LocalMachine",
    "storeName": "My"
  }
}

hidden Windows Certificate Store Scanner configuration

← Back to Scanners Overview | Sensor Setup Guide