PKI Proxy KSP - Other Certificate Stores

Requirements: PKI Proxy

Introduction

When adding a new key, the PKI Proxy Certificate Manager selects the Personal (MY) certificate store by default. However, some key providers such as Safenet Authentication Client also automatically deploy keys to the Personal certificate store, which can cause conflicts. You can avoid such conflicts by selecting a different certificate store when adding a certificate to the PKI Proxy KSP.

Selecting a Certificate Store

You can select which certificate store to add a certificate to by setting the Certificate Store field while adding a certificate. For example, you could set it to "Trusted People" instead of the default "My":

You would then select the certificate from that store using the normal method for your application. For example, to choose the certificate store that Microsoft SignTool will use, set the "/s" parameter to the name of the store:

signtool sign /fd sha256 /n "PKI Proxy Signing Cert" /s TrustedPeople /v /debug installer.exe

Creating and Using a Custom Certificate Store

If you would prefer, you can also create a custom certificate store to keep your PKI Proxy certificates in their own category. To do that, go to one of the following locations in the registry, right-click the SystemCertificates key, and add a new key with the name of the store you want to create:

For Machine-wide certificate stores: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

For User-specific certificate stores: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates

Once you've added that key, you should be able to pick the new custom certificate store when adding a certificate in the PKIProxy Certificate Manager. However, please note that not all applications support custom certificate stores. For example, you can use SignTool with the same command as above by simply replacing "TrustedPeople" with the custom certificate store's name, but the NuGet CLI only supports the default Windows Certificate stores.