The MakeCTL utility creates a certificate trust list (CTL) and saves the encoded CTL to a certificate store or to a file. MakeCTL is only supported with Microsoft® Internet Explorer 4.0 or later. A CryptoAPI Tool wizard is available with Internet Explorer 5.0 or later and Microsoft® Windows NT® version 4.0 SP4 or later.
The input to MakeCTL is an array of certificate stores. MakeCTL builds a CTL that includes the SHA1 hash of all of the certificates in the certificate stores. A certificate store can be one of the following:
MakeCTL [-u subjectUsageID] [-s [-r registryLocation]] store1 [-s [-r registryLocation]] store2 … [-s [-r registryLocation]] storeN output.stl
store1...storeN
Names of the certificate stores for which to make the certificate trust list.
output.stl
Name of the output file to contain the CTL.
For the latest documentation on MakeCTL, see the CryptoAPI Tools section of the MSDN Library.
For more information on application security, see the Platform SDK, Security section of the MSDN Library.
Option | Description |
-u subjectUsageID | CTL subject usage identifier. The default identifier, 1.3.6.1.4.1.311.2.2.1, defined as szOID_TRUSTED_CODESIGNING_CA_LIST in Wintrust.h, specifies that the CTL consists of root CAs for code signing. It can be any enhanced key usage object identifier (OID). |
-s | Indicates that the certificate store is a system store. |
-r registryLocation | Registry location of the system certificate store. Meaningful only when –s is set. Must be set to either currentUser (registry key HKEY_CURRENT_USER) or localMachine (registry key HKEY_LOCAL_MACHINE). The default setting is currentUser. |
-? | Lists command syntax and options. |
Note An encoded CTL file must be signed before using. CTL files can be signed using the SignCode utility. Once the CTL file is signed, it can be moved to the trust system store by CertMgr. CertMgr can also move the CTL's signed certificate to the Root store. If the subject usage identifier of the CTL is szOID_TRUSTED_CODESIGNING_CA_LIST (the default), all the files signed by certificates in the CTL will be trusted by ChkTrust and Microsoft® Authenticode.
The MakeCTL utility creates a certificate trust list (CTL) and saves the encoded CTL to a certificate store or to a file.
MakeCTL –s root output.stl
MakeCTL -u one.cer two.cer three.cer output.stl
Built on Wednesday, May 12, 1999