The Request Handling tab defines the purpose of a certificate template, the supported cryptographic service providers (CSPs), minimum key length, exportability, autoenrollment settings, and whether strong private key protection should be required.

Certificate purpose

The certificate purpose defines the intended primary use of the certificate and can be one of four settings as described in the following table.

Setting Purpose


Contains cryptographic keys for encryption and decryption.


Contains cryptographic keys for signing data only.

Signature and encryption

Covers all primary uses of a certificate's cryptographic key, including encryption of data, decryption of data, initial logon, or digitally signing data.

Signature and smart card logon

Allows for initial logon with a smart card, and to digitally sign data; it cannot be used for data encryption.


Key archival is only possible if the certificate purpose is set to Encryption or Signature and encryption.

Archive settings

Certification authorities (CAs) can archive a subject's keys in their databases when certificates are issued. If subjects lose their keys, the information can be retrieved from the database and securely provided to the subjects.

The key archival settings in the following table are defined in the Request Handling tab.

Setting Purpose

Archive subject's encryption private key

If the issuing CA is configured for key archival, the subject's private key will be archived.

Allow private key to be exported

The subject's private key can be exported to a file for backup or transfer to another computer.

Deleting revoked or expired certificates (do not archive)

If a certificate is renewed due to expiration or revocation, the previously issued certificate is removed from the subject's certificate store. By default, this option is not enabled and the certificate is archived.

Include symmetric algorithms allowed by the subject

When the subject requests the certificate, a list of supported symmetric algorithms can be supplied by the subject. This option allows the issuing CA to include those algorithms in the certificate, even if they are not recognized or supported by that server.

User input settings

The Request Handling tab also allows several user input settings described in this table to be defined for a certificate template.

Setting Purpose

Enroll subject without requiring any user input

This option allows autoenrollment without any user interaction and is the default setting for both computer and user certificates.

Prompt the user during enrollment

By disabling this option, users do not have to provide any input for the installation of a certificate based on the certificate template.

Prompt the user during enrollment and require user input when the private key is used

This option enables the user to set a strong private key protection password on the user's private key when the key is generated and requires the user to use it whenever the certificate and private key are used.

Other version 3 request handling settings

The Request Handling tab for version 3 certificate templates has been updated to provide support for the new options available on the Cryptography tab, along with other changes. The options are listed in the following table.

Setting Purpose

Use advanced Symmetric algorithm to send the key to the CA

This option allows the administrator to choose the Advanced Encryption Standard (AES) algorithm to encrypt private keys while they are transferred to the CA for key archival. If this option is selected, the client will use AES-256 symmetric encryption (along with the CA's exchange certificate for asymmetric encryption) to send the private key to the CA for archival. If this option is not selected, the 3DES symmetric algorithm is used. Because key archival is intended for encryption keys (not signing keys), this option is enabled only when the certificate purpose is set to Encryption.

Authorize additional service accounts to access the private key

This option allows a custom access control list (ACL) to be defined on the private keys of computer certificates based on any version 3 computer certificate template except the root CA, subordinate CA, or cross-CA templates. A custom ACL is necessary only when a service account that requires access to the private key is not included in the default permissions. The default permissions applied to the private key by the Microsoft certificate enrollment client and software key storage provider include Full Control permission for the Administrators group and the Local System account. Non-Microsoft providers may apply different default permissions and may not support custom ACLs defined by using this option. Refer to your provider's documentation for more information.


This option has replaced the Add Read permissions to Network Service on the private key option. In Windows Server 2008 R2, the default permissions applied to the private key of OCSP Response Signing certificates include Read permission for Online Responder service account and Full Control permission for the Administrators group and the Local System account.

For more information about options associated with version 3 certificate templates, see Cryptography.

Other version 2 request handling settings

In addition to key archival settings, you can define general options that affect all certificates based on version 2 certificate templates. The options are listed in the following table.

Setting Purpose

Minimum key size

This specifies the minimum size, in bits, of the key that will be generated for this certificate.

Cryptographic service providers

This is a list of cryptographic service providers (CSPs) that will be used to enroll certificates for the given template. Selecting one or more CSPs configures the certificate to only work with those CSPs. The CSP must be installed on the client computer for the CSP to be used during enrollment. If a specific CSP is chosen and not available on a client computer, enrollment will fail.

Additional references