On a Windows machine, we can find users’ certificates stored in files in C:\Users\<USER>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
(i.e. %APPDATA%\Microsoft\SystemCertificates\My\Certificates
). These files have seemingly random names (i.e. “3B86DFC25CFB1B47EB4CBF53FD4028239D0C690E”) and no extension. What is their format? How to open them in code? With which Windows APIs? 🤔
Let me spoil you with the answers right away, including code samples, and I’ll describe after what I tried and what I learned 💡
➡️ Find this article on Tenable’s TechBlog: How to read Windows serialized certificates (with code sample)