There's a good discussion here, which will be easier to understand if you have a background on the PE file format (there's a good intro here) but to summarise:
- There's a pointer at offset 24 in the file header to the PE header
- The PE header is 116 bytes long and is immediately followed by the data directory
- There's a pointer at offset 32 of the data directory to the start of the security data
- The security data is an array of resource objects, each of which contains an ASN.1 encoded certificate
- The resource object consists of a length field (4 bytes), a version number (2 bytes), a certificate type field (2 bytes), then the raw data of the certificate