In order to sign data, a hash object must first be created by using the CryptCreateHash function. This hash object will accumulate the data to be signed. Next, the data is added to the hash object with the CryptHashData function.
After the last block of data is added to the hash, the CryptSignHash function is used to sign the hash. A description of the data can also be added to the hash object at this point. After the digital signature data has been obtained, the hash object should be destroyed with the CryptDestroyHash function.
Hashes can be signed with either the signature private key or the key exchange private key. The signature key should be used when the user who owns the signature key is signing some of his or her data. The key exchange key should be used when signing data that does not directly belong to the user. The classic example of this is when the key exchange key is used to sign session keys during a key exchange protocol.