2.27 msPKI-Private-Key-Flag Attribute
The msPKI-Private-Key-Flag attribute specifies the private key flags. Its value can be 0 or can consist of a bitwise OR of flags from the following table.<35>
|
Flag |
Meaning |
|---|---|
|
0x00000001 CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL |
This flag instructs the client to create a key archival certificate request, as specified in [MS-WCCE] sections 3.1.2.4.2.2.2.8 and 3.2.2.6.2.1.4.5.7. |
|
0x00000010 CT_FLAG_EXPORTABLE_KEY |
This flag instructs the client to allow other applications to copy the private key to a .pfx file, as specified in [RFC7292], at a later time. |
|
0x00000020 CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED |
This flag instructs the client to use additional protection for the private key. |
|
0x00000040 CT_FLAG_REQUIRE_ALTERNATE_SIGNATURE_ALGORITHM |
This flag instructs the client to use an alternate signature format. For more details, see [MS-WCCE] section 3.1.2.4.2.2.2.8. |
|
0x00000080 CT_FLAG_REQUIRE_SAME_KEY_RENEWAL |
This flag instructs the client to use the same key when renewing the certificate.<36> |
|
0x00000100 CT_FLAG_USE_LEGACY_PROVIDER |
This flag instructs the client to process the msPKI-RA-Application-Policies attribute as specified in section 2.23.1.<37> |
|
0x00000000 * CT_FLAG_ATTEST_NONE |
This flag indicates that attestation data is not required when creating the certificate request. It also instructs the server to not add any attestation OIDs to the issued certificate. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7. |
|
0x00002000 * CT_FLAG_ATTEST_REQUIRED |
This flag informs the client that attestation data is required when creating the certificate request. It also instructs the server that attestation must be completed before any certificates can be issued. For more details, see [MS-WCCE] sections 3.1.2.4.2.2.2.8 and 3.2.2.6.2.1.4.5.7. |
|
0x00001000 * CT_FLAG_ATTEST_PREFERRED |
This flag informs the client that it SHOULD include attestation data if it is capable of doing so when creating the certificate request. It also instructs the server that attestation might or might not be completed before any certificates can be issued. For more details, see [MS-WCCE] sections 3.1.2.4.2.2.2.8 and 3.2.2.6.2.1.4.5.7. |
|
0x00004000 * CT_FLAG_ATTESTATION_WITHOUT_POLICY |
This flag instructs the server to not add any certificate policy OIDs to the issued certificate even though attestation SHOULD be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7. |
|
0x00000200 * CT_FLAG_EK_TRUST_ON_USE |
This flag indicates that attestation based on the user's credentials is to be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7. |
|
0x00000400 * CT_FLAG_EK_VALIDATE_CERT |
This flag indicates that attestation based on the hardware certificate of the Trusted Platform Module (TPM) is to be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7. |
|
0x00000800 * CT_FLAG_EK_VALIDATE_KEY |
This flag indicates that attestation based on the hardware key of the TPM is to be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7. |
|
0x00200000 * CT_FLAG_HELLO_LOGON_KEY |
This flag indicates that the key is used for Windows Hello logon. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7. |
* Support for these flags is specified in the following behavior note.<38>
The bitwise AND of the value of the msPKI-Private-Key-Flag attribute and 0x000F0000 determines whether the current CA can issue a certificate based on this template, as explained in [MS-WCCE] section 3.2.2.6.2.1.4.5.7.
The bitwise AND of the value of the msPKI-Private-Key-Flag attribute and 0x0F000000 determines whether the current template is supported by the client, as explained in [MS-WCCE] section 3.1.2.4.2.2.2.8.
For schema details of this attribute, see [MS-ADA2] section 2.618.