Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following processing rules are applied to flags in the Certificate.Template.msPKI-Private-Key-Flag datum.
Flag |
Client processing |
---|---|
0x00000001 CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL |
If all of the following conditions are met:
then the client SHOULD ignore this flag<57>; otherwise, clients MUST create the key archival certificate request as specified in section 3.1.1.4.3.5.1. |
0x00000010 CT_FLAG_EXPORTABLE_KEY |
If this flag is set, clients MUST allow other applications to copy the private key to a PFX (as specified in [RFC7292]) file at a later time. |
0x00000020 CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED |
If this flag is set, clients MUST use a stronger encryption protocol for the private key.<58> |
0x00000040 CT_FLAG_REQUIRE_ALTERNATE_SIGNATURE_ALGORITHM |
If this flag is set, the client SHOULD sign PKCS#10 request as follows.<59>
For other algorithms, the client MUST ignore this flag. |
0x00000080 CT_FLAG_REQUIRE_SAME_KEY_RENEWAL |
If the IsRenewalRequest datum is set, the client SHOULD use the key of the CertificateToBeRenewed ADM datum to generate a certificate request.<60> |
0x00000100 CT_FLAG_USE_LEGACY_PROVIDER |
This flag instructs the client to generate a public/private key pair as explained in section 3.1.2.4.2.2.1.6.<61> If this flag is not set, the public/private key MUST be generated as explained in section 3.1.2.4.2.2.2.5. |
0x000002000 CT_FLAG_ATTEST_REQUIRED * |
This flag instructs the client to generate a certificate request as explained in section 3.1.1.4.3.4.1.1. |
0x000001000 CT_FLAG_ATTEST_PREFERRED * |
This flag instructs the client to generate a certificate request as explained in section 3.1.1.4.3.4.1.1 if the Client_HardwareKeyInfo and Client_KeyAttestationStatement ADM elements are not empty (as described in section 3.1.2.4.2.2.2.2). |
0x00200000 CT_FLAG_HELLO_LOGON_KEY * |
This flag instructs the client to generate a certificate request for the Windows Hello Logon key. For more information about Windows Hello for Business, see [MSDOCS-WHfB]. |
* Support for these flags is specified in the following behavior note.<62>