3.1.2.4.2.2.2.2 Certificate.Template.pKIDefaultCSPs

The client SHOULD use the Certificate.Template.pKIDefaultCSPs datum to determine the algorithm and the key size to be used to generate the private key as follows

• If the certificate.Template.msPKI-Template-Schema-Version datum equals 0x2:

  1. Determine the algorithm for the private key, as specified in section 3.1.2.4.2.2.1.6.

  2. Determined the key size, as specified in section 3.1.2.4.2.2.2.1.

• If the certificate.Template.msPKI-Template-Schema-Version datum equals 0x3:

  1. Determine the algorithm for the private key by processing the msPKI-Asymmetric-Algorithm property type, as specified in section 3.1.2.4.2.2.2.5.

  2. Determined the key size, as specified in section 3.1.2.4.2.2.2.1.

• If the certificate.Template.msPKI-Template-Schema-Version datum equals 0x4 and if CT_FLAG_USE_LEGACY_PROVIDER is set:

  1. Determine the algorithm for the private key, as specified in section 3.1.2.4.2.2.1.6.

  2. Determine the key size, as specified in section 3.1.2.4.2.2.2.1.

• If the certificate.Template.msPKI-Template-Schema-Version datum equals 0x4 and if CT_FLAG_USE_LEGACY_PROVIDER is not set:

  1. Determine the algorithm for the private key by processing the msPKI-Asymmetric-Algorithm property type, as specified in section 3.1.2.4.2.2.2.5.

  2. Determine the key size, as specified in section 3.1.2.4.2.2.2.1.

  3. If the CT_FLAG_ATTEST_REQUIRED or CT_FLAG_ATTEST_PREFERRED flag under the Certificate.Template.msPKI-Private-Key-Flag datum is set, the client SHOULD initialize the Client_HardwareKeyInfo and Client_KeyAttestationStatement ADM elements using CSP-specific methods, and the szOID_ENROLL_KSP_NAME attribute containing the CSP name.<45> If initialization failed and CT_FLAG_ATTEST_REQUIRED is set, the client SHOULD NOT submit a certificate request based on this template.<46>