Windows - Common repository for digital certificates?

Here's how I think it works. Tell me if I'm wrong.

I go to amazon.com for the first time and buy some swim goggles. Amazon's site directs my browser to the certificate authority (CA), my browser pulls the Amazon certificate, and stores it in Windows Cert Manger.
I navigate to a client's site for the first time via Citrix. At some point during the process I again retrieve a certificate from a CA, and store it in the Windows Cert Manager.
Any time my Windows machine is involved in a SSL/TLS handshake, I'll eventually pull a certificate and store it in the Windows Cert Manager.

Is this accurate? All my digital certificates, whether they're obtained through Chrome, Firefox, IE, or another third-party tool, eventually end up in the common repository, Windows Cert Manager?

Cert Manager
jdanaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BembiCEOCommented:
Not at all....
A web server which communicates via SSL (https) provides a certificate. This certificate is presented to the client and the client proceeds now some testing on the cert.
A certificate contains some information, first at all a name, a thumbprint and some information about the issuer and links to revocation lists and a validity time scope..

So the client first checks the validity of the cert, what includes to look inside the certificate chain (issuer) to make sure the cert is valid. So every certificate in the certificate chain is proved, either against the local certificate store or - if not present there - against the URLs stored in the cert. Also the validity dates are checked an the subject name in the certificate is compared with the URL you requested. If the certificate is valid, it is fine and it can be used, in all other cases you get a warning message.

But what never happens is, that a certificate is stored in the cert store from alone. If you want to have a certificate in your cert store, you have actively to save the it there. What you need in your store is not the cert itself as provided by the web site, what you need are the root and intermediate certificates in the chain (all certs which are used to create this cert). If the cert chain is completely stored in your cert store, the clients doesn't need to validate the cert chain over the internet.

The reason why you find a lot of certs in the trusted root cert store on the local machine is because Microsoft puts them in there to avoid, that trustful certificates has all the time validated over the internet (what takes a time).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
And Firefox has it's own root Certificate Store.  It does not use the Windows storage that many other programs use.
0
jdanaAuthor Commented:
Thanks guys.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.