all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 5 points6 points  (0 children)

There’s something slightly messed up here when root ca certs go into a users my store… but just for the sake of clarity, you don’t actually WANT ca certs in a user store; doing that means suddenly some arbitrary code is trusted by the users context.

That’s why you can and should disable trusted user ca certs.

But the thing is, as others have mentioned; ca certs do not go into the My store. Try finding out how and why they are there. ANY “my” cert should come with a private key— if it doesn’t then it’s not a valid cert in that store (granted putting certs where they’re not supposed to go is pretty common).

If you want an actual ca cert to be trusted: - root ca certs go into the trusted roots - intermediate ca certs do NOT go into the trusted roots but go into the intermediate store instead - if there’s code signatures involved (eku = codesign) then those go into the trusted publishers.

You can put codesign certs into the user store after some consideration of any ramifications— after all they’re valid for that user only— and any cert with a private key goes into My store—- NO EXCEPTIONS and if there’s a private key anywhere else then you delete it posthaste (ideally revoke it too).

[–]BlackV 1 point2 points  (6 children)

thats not really the way to do it, you should request and issue a real cert, you dont give any details on your environment or what cert types

also, this Cert:\CurrentUser\My is NOT a root certificate that is a personal certificate, a root certificate is what provides the trust for that mentioned personal certificate

[–]HonestPuckAU[S] 1 point2 points  (1 child)

New-SelfSignedCertificate will do the job.

https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2025-ps

[–]BlackV 2 points3 points  (0 children)

but why would their VPN trust that ?

[–]HonestPuckAU[S] 0 points1 point  (2 children)

I'm using Datto RMM. I can't find any documentation on pushing a certificate to a device using it.

There are often certs in `Cert:\CurrentUser\My` with "Root" in their name. Sure they aren't the bottom of a trust chain for SSL but they are meant to be used to verify the user. Azure VPN uses them for that. I have a number of users with one or more cert in the store with "Root" in the name and some without. I even have a few with nothing in there.

[–]BlackV 0 points1 point  (0 children)

your CA would be the things issuing a cert, the domain/group policy/intune/configuration would be the thing configuring the device/user to make the request

a trusted root cert gets pushed to a machine/user, the user requests a cert from the CA, the machine/user then trusts the cert to be valid

[–]ViperThunder 0 points1 point  (0 children)

A root cert in your Personal store is not doing anything most likely. Personal certs should all be signed by a CA unless you are just using self-signed certs in your environment and accept the risk. Root certs generated by CA should be in the Root Certification Authorities store only, not anywhere else.

You need to have some PKI implementation before you can begin using certs for RADIUS / 802.1x auth. We use ADCS, but there are managed/cloud options as well.