We have templates in our ADCS Microsoft PKI infrastructure for multiple uses. We do not want the certificate used for web server SSL to have the private key be exportable, so we have that option unchecked. When a user goes through the AD enrollment policy to request a certificate, they can select the option on the key options to make private key exportable even though we have marked on the template to not have the private key be exportable. They then get a certificate with an exportable private key even though we unchecked that on the template. We have not seen a way to stop it.
We have deleted the template to issue and redid the base template without the exportable private key option yet the request user can still get it. We have created new template without the option and issued the oner and they can still request the private key be exportable and get a certificate like this. We don't see a way to stop it. What are we misunderstanding?
What are we misunderstanding?
Template is a template, it is not something that is enforced in all aspects. Template provides default settings to minimize user input during enrollment. Almost every template setting can be overridden by client if necessary. Moreover, CA is not able to validate how the key was generated. This requires some form of key attestation that guarantees that the key is generated securely and stored on a tamper-evident chip (TPM, HSM, for instance). For software-based keys there is no such possibility.
This means that you cannot enforce non-exportable keys via templates.