3.1.2.4.2.2.2.8 Certificate.Template.msPKI-Private-Key-Flag

2025-05-12

The following processing rules are applied to flags in the Certificate.Template.msPKI-Private-Key-Flag datum.

Flag	Client processing
0x00000001 CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL	If all of the following conditions are met: The CT_FLAG_REQUIRE_SAME_KEY_RENEWAL flag (0x00000080) is also set, The IsRenewalRequest datum is set to true, The CT_FLAG_EXPORTABLE_KEY (0x00000010) is not set, then the client SHOULD ignore this flag <57>; otherwise, clients MUST create the key archival certificate request as specified in section 3.1.1.4.3.5.1.
0x00000010 CT_FLAG_EXPORTABLE_KEY	If this flag is set, clients MUST allow other applications to copy the private key to a PFX (as specified in [RFC7292]) file at a later time.
0x00000020 CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED	If this flag is set, clients MUST use a stronger encryption protocol for the private key.<58>
0x00000040 CT_FLAG_REQUIRE_ALTERNATE_SIGNATURE_ALGORITHM	If this flag is set, the client SHOULD sign PKCS#10 request as follows.<59> For RSA keys, use signature algorithm and ASN structures as specified in section 3 of [RFC4055]. For ECC keys, follow algorithm and structures specified in [X9.62]. For other algorithms, the client MUST ignore this flag.
0x00000080 CT_FLAG_REQUIRE_SAME_KEY_RENEWAL	If the IsRenewalRequest datum is set, the client SHOULD use the key of the CertificateToBeRenewed ADM datum to generate a certificate request.<60>
0x00000100 CT_FLAG_USE_LEGACY_PROVIDER	This flag instructs the client to generate a public/private key pair as explained in section 3.1.2.4.2.2.1.6.<61> If this flag is not set, the public/private key MUST be generated as explained in section 3.1.2.4.2.2.2.5.
0x000002000 CT_FLAG_ATTEST_REQUIRED *	This flag instructs the client to generate a certificate request as explained in section 3.1.1.4.3.4.1.1.
0x000001000 CT_FLAG_ATTEST_PREFERRED *	This flag instructs the client to generate a certificate request as explained in section 3.1.1.4.3.4.1.1 if the Client_HardwareKeyInfo and Client_KeyAttestationStatement ADM elements are not empty (as described in section 3.1.2.4.2.2.2.2).
0x00200000 CT_FLAG_HELLO_LOGON_KEY *	This flag instructs the client to generate a certificate request for the Windows Hello Logon key. For more information about Windows Hello for Business, see [MSDOCS-WHfB].

Flag

Client processing

0x00000001

CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL

If all of the following conditions are met:

The CT_FLAG_REQUIRE_SAME_KEY_RENEWAL flag (0x00000080) is also set,
The IsRenewalRequest datum is set to true,
The CT_FLAG_EXPORTABLE_KEY (0x00000010) is not set,

then the client SHOULD ignore this flag <57>; otherwise, clients MUST create the key archival certificate request as specified in section 3.1.1.4.3.5.1.

0x00000010

CT_FLAG_EXPORTABLE_KEY

If this flag is set, clients MUST allow other applications to copy the private key to a PFX (as specified in [RFC7292]) file at a later time.

0x00000020

CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED

If this flag is set, clients MUST use a stronger encryption protocol for the private key.<58>

0x00000040

CT_FLAG_REQUIRE_ALTERNATE_SIGNATURE_ALGORITHM

If this flag is set, the client SHOULD sign PKCS#10 request as follows.<59>

For RSA keys, use signature algorithm and ASN structures as specified in section 3 of [RFC4055].
For ECC keys, follow algorithm and structures specified in [X9.62].

For other algorithms, the client MUST ignore this flag.

0x00000080

CT_FLAG_REQUIRE_SAME_KEY_RENEWAL

If the IsRenewalRequest datum is set, the client SHOULD use the key of the CertificateToBeRenewed ADM datum to generate a certificate request.<60>

0x00000100

CT_FLAG_USE_LEGACY_PROVIDER

This flag instructs the client to generate a public/private key pair as explained in section 3.1.2.4.2.2.1.6.<61> If this flag is not set, the public/private key MUST be generated as explained in section 3.1.2.4.2.2.2.5.

0x000002000

CT_FLAG_ATTEST_REQUIRED *

This flag instructs the client to generate a certificate request as explained in section 3.1.1.4.3.4.1.1.

0x000001000

CT_FLAG_ATTEST_PREFERRED *

This flag instructs the client to generate a certificate request as explained in section 3.1.1.4.3.4.1.1 if the Client_HardwareKeyInfo and Client_KeyAttestationStatement ADM elements are not empty (as described in section 3.1.2.4.2.2.2.2).

0x00200000

CT_FLAG_HELLO_LOGON_KEY *

This flag instructs the client to generate a certificate request for the Windows Hello Logon key. For more information about Windows Hello for Business, see [MSDOCS-WHfB].

* Support for these flags is specified in the following behavior note.<62>

If the value of a bitwise AND of Certificate.Template.msPKI-Private-Key-Flag and 0x0F000000 is larger than 0x0Y000000, where Y denotes the value of the Client_Current_Version ADM element, the client SHOULD NOT enroll for this template.<63>

Share via

3.1.2.4.2.2.2.8 Certificate.Template.msPKI-Private-Key-Flag

Additional resources