2.27 msPKI-Private-Key-Flag Attribute

The msPKI-Private-Key-Flag attribute specifies the private key flags. Its value can be 0 or can consist of a bitwise OR of flags from the following table.<34>

Flag

Meaning

0x00000001

CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL

This flag instructs the client to create a key archival certificate request, as specified in [MS-WCCE] sections 3.1.2.4.2.2.2.8 and 3.2.2.6.2.1.4.5.7.

0x00000010

CT_FLAG_EXPORTABLE_KEY

This flag instructs the client to allow other applications to copy the private key to a .pfx file, as specified in [PKCS12], at a later time.

0x00000020

CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED

This flag instructs the client to use additional protection for the private key.

0x00000040

CT_FLAG_REQUIRE_ALTERNATE_SIGNATURE_ALGORITHM

This flag instructs the client to use an alternate signature format. For more details, see [MS-WCCE] section 3.1.2.4.2.2.2.8.

0x00000080

CT_FLAG_REQUIRE_SAME_KEY_RENEWAL

This flag instructs the client to use the same key when renewing the certificate.<35>

0x00000100

CT_FLAG_USE_LEGACY_PROVIDER

This flag instructs the client to process the msPKI-RA-Application-Policies attribute as specified in section 2.23.1.<36>

0x00000000 *

CT_FLAG_ATTEST_NONE

This flag indicates that attestation data is not required when creating the certificate request. It also instructs the server to not add any attestation OIDs to the issued certificate. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7.

0x00002000 *

CT_FLAG_ATTEST_REQUIRED

This flag informs the client that attestation data is required when creating the certificate request. It also instructs the server that attestation must be completed before any certificates can be issued. For more details, see [MS-WCCE] sections 3.1.2.4.2.2.2.8 and 3.2.2.6.2.1.4.5.7.

0x00001000 *

CT_FLAG_ATTEST_PREFERRED

This flag informs the client that it SHOULD include attestation data if it is capable of doing so when creating the certificate request. It also instructs the server that attestation might or might not be completed before any certificates can be issued. For more details, see [MS-WCCE] sections 3.1.2.4.2.2.2.8 and 3.2.2.6.2.1.4.5.7.

0x00004000 *

CT_FLAG_ATTESTATION_WITHOUT_POLICY

This flag instructs the server to not add any certificate policy OIDs to the issued certificate even though attestation SHOULD be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7.

0x00000200 *

CT_FLAG_EK_TRUST_ON_USE

This flag indicates that attestation based on the user's credentials is to be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7.

0x00000400 *

CT_FLAG_EK_VALIDATE_CERT

This flag indicates that attestation based on the hardware certificate of the Trusted Platform Module (TPM) is to be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7.

0x00000800 *

CT_FLAG_EK_VALIDATE_KEY

This flag indicates that attestation based on the hardware key of the TPM is to be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7.

0x00200000 *

CT_FLAG_HELLO_LOGON_KEY

This flag indicates that the key is used for Windows Hello logon. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7.

* Support for these flags is specified in the following behavior note.<37>

  • The bitwise AND of the value of the msPKI-Private-Key-Flag attribute and 0x000F0000 determines whether the current CA can issue a certificate based on this template, as explained in [MS-WCCE] section 3.2.2.6.2.1.4.5.7.

  • The bitwise AND of the value of the msPKI-Private-Key-Flag attribute and 0x0F000000 determines whether the current template is supported by the client, as explained in [MS-WCCE] section 3.1.2.4.2.2.2.8.

For schema details of this attribute, see [MS-ADA2] section 2.602.