I made a self signed certificate like so on Windows 10:
$MasterKeyDNSName = 'CN=Always Encrypted Sample'
Write-Host "Creating Self Signed Certificate $($MasterKeyDNSName)"
$Cert = New-SelfSignedCertificate `
-Subject $MasterKeyDNSName `
-CertStoreLocation Cert:\CurrentUser\My `
-KeyExportPolicy Exportable `
-Type DocumentEncryptionCert `
-KeyUsage DataEncipherment `
-KeySpec KeyExchange
$CmkPath = "Cert:\CurrentUser\My\$($cert.ThumbPrint)"
Write-Verbose "Column Master Key Certificate Path: $($CmkPath)"
The cert had a thumbprint of B91A912CF632575F784CDE485DA37AB2F23DB6BA and appeared in e registry under HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\B91A912CF632575F784CDE485DA37AB2F23DB6BA.
From powershell I could access it with via both Cert:\CurrentUser\My\B91A912CF632575F784CDE485DA37AB2F23DB6BA and Cert:\CurrentUser\CA\B91A912CF632575F784CDE485DA37AB2F23DB6BA.
According to the Microsoft docs, the My folder uses the .Default store and the CA folder uses the .Default, GroupPolicy and .LocalMachine physical stores.
Is My like a symlink and CA is the authoritative location?
The My and CA stores are indeed different.
If you opened MMC certmgr, you would see that My is Personal and CA is Intermediate Certification Authorities.
This command:
will generate certificate in 3 stores (unless your current path is Cert:\CurrentUser or Cert:\CurrentUser\My ):
The only reason of such undocumented behavior I could see is a clumsy attempt to make the self-signed certificate valid immediately when generated.
If instead of
ca, the generated certificate was automatically posted intorootstore (which is Trusted Root Certificate Authorities), that goal would be accomplished.Maybe a developer, creating the
New-SelfSignedCertificatecode, was confused by the story nameca, because everywhere CA is Certificate Authority, and only there it is Intermediate Certificate Authority