MakeCTL

The MakeCTL tool creates a certificate trust list (CTL) and saves the encoded CTL to a certificate store or to a file. MakeCTL is only supported with Internet Explorer 4 or later. A CryptoAPI Tool wizard is available beginning with Internet Explorer 5 and Windows 2000. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.

MakeCTL is available as part of the Windows Server 2003 Platform Software Development Kit (SDK), which you can download from the Microsoft Download Center at http://go.microsoft.com/fwlink/?linkid=84091.

The input to MakeCTL is an array of certificate stores. MakeCTL builds a CTL that includes the SHA1 hash of all of the certificates in the certificate stores. A certificate store can be one of the following:

  • A serialized store file
  • A PKCS #7 file
  • An encoded certificate file
  • A system store

The MakeCTL tool uses the following command syntax:

MakeCTL [-u SubjectUsageID] [-s [-r RegistryLocation]] Store1 [-s [-r RegistryLocation]] Store2 ... [-s [-r RegistryLocation]] StoreN Output.stl

Where

Store1 . . . StoreN

Are names of the certificate stores to make the certificate trust list for.

Output

Is the name of the output file to contain the CTL.

 

Options

The MakeCTL tool supports the following options.

-u SubjectUsageID

CTL subject usage identifier. The default identifier, 1.3.6.1.4.1.311.2.2.1, defined as szOID_TRUSTED_CODESIGNING_CA_LIST in Wintrust.h, specifies that the CTL consists of root CAs for code signing. It can be any enhanced key usage object identifier (OID).

-s

Indicates that the certificate store is a system store.

-r RegistryLocation

Registry location of the system certificate store. Meaningful only when –s is set. Must be set to either currentUser (registry key HKEY_CURRENT_USER) or localMachine (registry key HKEY_LOCAL_MACHINE). The default setting is currentUser.

-?

Lists command syntax and options.

 

Remarks

An encoded CTL file must be signed before it can be used. CTL files can be signed by using the SignTool tool. After the CTL file is signed, it can be moved to the Trust system store by CertMgr. CertMgr can also move the CTL's signed certificate to the Root store. If the subject usage identifier of the CTL is szOID_TRUSTED_CODESIGNING_CA_LIST (the default), all of the files that are signed by certificates in the CTL will be trusted by Authenticode.

For examples, see Using MakeCTL.

Send comments about this topic to Microsoft

Build date: 11/16/2009

Tags :


Page view tracker