Michael Luich wrote:

Does userCertificate, userSMIMECertificate, and userPKCS12 store the users public or private key?

'userCertificate' is used solely to store the raw X.509 public-key cert.

'userSMIMECertificate' was meant to store a PKCS#7 blob signed by the entity itself with the entity's X.509 public-key cert attached. It was possible for an end-user with Netscape Communicator 4.x to send such a PKCS#7 blob to a LDAP directory. I don't know any deployment which does that today.

'userPKCS12' contains a PKCS#12 blob which besides a cert chain potentially contains the entity's private key hopefully all encrypted with a passphrase. Again: I don't know any deployment which does that. Maybe in some Windows/AD environment. However this could be helpful e.g. in a webmail deployment together with S/MIME support.

Ciao, Michael.