I’ve always wondered. When you import a PKI certificate on a Windows system, you have several choices of where to store it:
- Trusted Root Certification Authorities
- Enterprise Trust
- Intermediate Certification Authorities
- Trusted Publishers
- Third Party Root Certification Authorities
All of these stores are duplicated between the user account and the machine account, and I understand the difference between those.
In practice, however, it does not seem to matter which location I choose; Certs get trusted by applications regardless of where I put them.
Is there any functional difference between them? Why do we need so many?