Creating, Signing, and Storing a CTL

The following procedures create a signed certificate trust list (CTL) and save it to a certificate store.

To create and sign a CTL

  1. Create an array of items to be stored in the CTL. In the case of trusted certificates, this must be the SHA1 or MD5 hashes of the trusted certificates.
  2. Initialize a CTL_INFO structure that includes the array of items just created.
  3. Initialize a CMSG_SIGNED_ENCODE_INFO structure.
  4. Call CryptMsgEncodeAndSignCTL. This function call returns a pointer to a signed, encoded CTL (in PKCS #7 format) that contains the list of items created in step 1.

To add a CTL to a certificate store

  1. Get a pointer to a signed and encoded CTL.
  2. Open the target certificate store with a call to CertOpenStore.
  3. Call CertAddEncodedCTLToStore.