Why is the private key needed to be marked as exportable in the certificate template?

This is primarily due to the Microsoft CertENROLL API, which enrolls the certificate into the user's Personal certificate store. 

HYPR exports the private key and certificate into a PKCS12 blob to be stored on the mobile device. HYPR then stores the user’s certificate on their mobile device so that it can be used for subsequent desktop logon. We also leverage this functionality when automatically updating the user’s certificates.  

From a security perspective, the HYPR credential provider on Windows does multiple security checks including a FIDO based authentication before leveraging the user certificate for authentication into the domain.

Was this article helpful?
2 out of 3 found this helpful