The CryptoAPI CTL is a list of items that has been signed by a trusted entity. The list of items could be anything, such as a list of hashes of certificates, or a list of file names. The important thing is that all the items in the list are authenticated (approved) by the signing entity.
The primary use of this functionality is to verify signed messages, using the CTL as a source of trusted root certificates. In this case, the CTL is a list of hashed certificate contexts.
In addition to certificates and certificate revocation lists (CRL), the CryptoAPI certificate store now supports CTLs. This means that a CTL_CONTEXT structure has been added that is very similar to the certificate and CRL context structures, and that these CTL contexts may be persisted to the certificate store.
The CTL_CONTEXT is very similar to the certificate and CRL context structures. However, the main difference is that, unlike the certificate and CRL context structures, the CTL_CONTEXT structure contains a HCRYPTMSG member. This handle is opened by a call to any of the functions that return a CTL_CONTEXT structure, making it possible to use the message functions to verify the CTL's signature. This verification is necessary to ensure that the CTL being used is not a bogus CTL planted by some rogue entity.
Several functions are provided for managing CTLs. These include:
CertAddCTLContextToStore
CertAddEncodedCTLToStore
CertCreateCTLContext
CertDeleteCTLFromStore
CertDuplicateCTLContext
CertEnumCTLContextProperties
CertEnumCTLsInStore
CertFindCTLInStore
CertFindSubjectInCTL
CertFreeCTLContext
CertGetCTLContextProperty
CertSerializeCTLStoreElement
CertSetCTLContextProperty
CertVerifyCTLUsage
CryptMsgEncodeAndSignCTL
CryptMsgGetAndVerifySigner
CryptMsgSignCTL