Ok, I still come off the rails when choosing the Crypto provider (CSP) and Marking keys as exportable.

Certs were being issued automaticaly because I had enabled this option in the Certification Authority snap-in.

Looking at my Code Signing cert template (Cert Templates snap-In), switching to the second tab of the property page (Request Handeling) the MS RSA & AES Crypto Provider is not enabled along with 'allow private key to be exported'.

I guess this is why the options are not available when I'm generating a cert from this template.

So... I created a new cert template based on the default Code Signing template and enabled the appropriate CSP and checked 'allow private key to be exported'. Finaly saved this as a new template.

The final stage to make my Cert Template available is to enable it in the Certification Authority (CA) snap-in -> Certificate Templates -> Right-Click -> New -> Certificate Template to Issue. But my new template can not be selected.

I think it can't be selected because the new template has a minimum supported CA of Windows 2003, Enterprise Edition. I have only std edition Win2003 available to me.

So I think the options for me are:

1. figure out why the default Code Signing template in my installation is not enabled for RSA/AES CSP and private key export.

or

2. Figure out how to create a new template with a minimum supported CA of Windows 2003, Std Edition. Interestingly enough the default Code Signing Cert template has a min CA authority of Win2000