3.1.2.4.2.2.2.8 Certificate.Template.msPKI-Private-Key-Flag

The following processing rules are applied to flags in the Certificate.Template.msPKI-Private-Key-Flag datum.

Flag

Client processing

0x00000001

CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL

If all of the following conditions are met:

  • The CT_FLAG_REQUIRE_SAME_KEY_RENEWAL flag (0x00000080) is also set,

  • The IsRenewalRequest datum is set to true,

  • The CT_FLAG_EXPORTABLE_KEY (0x00000010) is not set,

then the client SHOULD ignore this flag<56>; otherwise, clients MUST create the key archival certificate request as specified in section 3.1.1.4.3.5.1.

0x00000010

CT_FLAG_EXPORTABLE_KEY

If this flag is set, clients MUST allow other applications to copy the private key to a PFX (as specified in [RFC7292]) file at a later time.

0x00000020

CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED

If this flag is set, clients MUST use a stronger encryption protocol for the private key.<57>

0x00000040

CT_FLAG_REQUIRE_ALTERNATE_SIGNATURE_ALGORITHM

If this flag is set, the client SHOULD sign PKCS#10 request as follows.<58>

  • For RSA keys, use signature algorithm and ASN structures as specified in section 3 of [RFC4055].

  • For ECC keys, follow algorithm and structures specified in [X9.62].

For other algorithms, the client MUST ignore this flag.

0x00000080

CT_FLAG_REQUIRE_SAME_KEY_RENEWAL

If the IsRenewalRequest datum is set, the client SHOULD use the key of the CertificateToBeRenewed ADM datum to generate a certificate request.<59>

0x00000100

CT_FLAG_USE_LEGACY_PROVIDER

This flag instructs the client to generate a public/private key pair as explained in section 3.1.2.4.2.2.1.6.<60> If this flag is not set, the public/private key MUST be generated as explained in section 3.1.2.4.2.2.2.5.

0x000002000

CT_FLAG_ATTEST_REQUIRED *

This flag instructs the client to generate a certificate request as explained in section 3.1.1.4.3.4.1.1.

0x000001000

CT_FLAG_ATTEST_PREFERRED *

This flag instructs the client to generate a certificate request as explained in section 3.1.1.4.3.4.1.1 if the Client_HardwareKeyInfo and Client_KeyAttestationStatement ADM elements are not empty (as described in section 3.1.2.4.2.2.2.2).

0x00200000

CT_FLAG_HELLO_LOGON_KEY *

This flag instructs the client to generate a certificate request for the Windows Hello Logon key. For more information about Windows Hello for Business, see [MSDOCS-WHfB].

* Support for these flags is specified in the following behavior note.<61>

  • If the value of a bitwise AND of Certificate.Template.msPKI-Private-Key-Flag and 0x0F000000 is larger than 0x0Y000000, where Y denotes the value of the Client_Current_Version ADM element, the client SHOULD NOT enroll for this template.<62>