What is the difference between the certificate containers in Windows?


I’ve always wondered. When you import a PKI certificate on a Windows system, you have several choices of where to store it:

  • Personal
  • Trusted Root Certification Authorities
  • Enterprise Trust
  • Intermediate Certification Authorities
  • Trusted Publishers
  • Third Party Root Certification Authorities
  • Etc.

All of these stores are duplicated between the user account and the machine account, and I understand the difference between those.

In practice, however, it does not seem to matter which location I choose; Certs get trusted by applications regardless of where I put them.

Is there any functional difference between them? Why do we need so many?