Microsoft SDK for Java

MakeCTL

The MakeCTL utility creates a certificate trust list (CTL) and saves the encoded CTL to a certificate store or to a file. MakeCTL is only supported with Microsoft® Internet Explorer 4.0 or later. A CryptoAPI Tool wizard is available with Internet Explorer 5.0 or later and Microsoft® Windows NT® version 4.0 SP4 or later.

The input to MakeCTL is an array of certificate stores. MakeCTL builds a CTL that includes the SHA1 hash of all of the certificates in the certificate stores. A certificate store can be one of the following:

MakeCTL [-u subjectUsageID] [-s [-r registryLocation]]
     store1 [-s [-r registryLocation]] store2 … [-s [-r registryLocation]]
     storeN output.stl

store1...storeN

Names of the certificate stores for which to make the certificate trust list.

output.stl

Name of the output file to contain the CTL.

For the latest documentation on MakeCTL, see the CryptoAPI Tools This link takes you to a site on microsoft.com section of the MSDN™ Library.

For more information on application security, see the Platform SDK, Security This link takes you to a site on microsoft.com section of the MSDN™ Library.

Options

Option Description
-u subjectUsageID CTL subject usage identifier. The default identifier, 1.3.6.1.4.1.311.2.2.1, defined as szOID_TRUSTED_CODESIGNING_CA_LIST in Wintrust.h, specifies that the CTL consists of root CAs for code signing. It can be any enhanced key usage object identifier (OID).
-s Indicates that the certificate store is a system store.
-r registryLocation Registry location of the system certificate store. Meaningful only when –s is set. Must be set to either currentUser (registry key HKEY_CURRENT_USER) or localMachine (registry key HKEY_LOCAL_MACHINE). The default setting is currentUser.
-? Lists command syntax and options.

Note   An encoded CTL file must be signed before using. CTL files can be signed using the SignCode utility. Once the CTL file is signed, it can be moved to the trust system store by CertMgr. CertMgr can also move the CTL's signed certificate to the Root store. If the subject usage identifier of the CTL is szOID_TRUSTED_CODESIGNING_CA_LIST (the default), all the files signed by certificates in the CTL will be trusted by ChkTrust and Microsoft® Authenticode™.

Using MakeCTL

The MakeCTL utility creates a certificate trust list (CTL) and saves the encoded CTL to a certificate store or to a file.

Built on Wednesday, May 12, 1999

© 1999 Microsoft Corporation. All rights reserved. Terms of use.