Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
To make it more difficult for an interloper to substitute a bogus certificate trust list (CTL) for an existing one, verify the signature on the CTL each time the CTL is used. Do not use a CTL that does not contain a trusted signature.
To verify a CTL signature
- Open the certificate store containing the desired CTL.
- Get a handle to a CTL_CONTEXT for the CTL. This can be done by calling any of the functions that return a handle to the CTL_CONTEXT, such as CertFindCTLInStore.
- Call CryptMsgGetAndVerifySigner, passing the CTL_CONTEXT retrieved in step 2 in the hCryptMsg parameter, a handle to the certificate store containing the certificate of the trusted source for CTLs in the rghSignerStore parameter, and the CMSG_TRUSTED_SIGNER_FLAG in the dwFlags parameter. If the function returns TRUE, the signature was verified, and a pointer to the CTL signer's PCCERT_CONTEXT is returned in the ppSigner parameter.