Skip to main content
Version: 10.7.1

Certificate Template for Security Keys and Smart Cards (Non-exportable Keys)

This document describes how to create a separate certificate template with non-exportable private keys for use with physical security keys and smart cards only. Do not use this template for HYPR Mobile App pairings; mobile requires a template that allows exportable private keys. With the non-exportable template, the private key is generated on the security key or smart card and never leaves the device. Recovery PINs are not available for users who pair with this template.

Prerequisites

Complete Steps 1–6 of Creating a Custom Certificate Template (General tab only). Then return here to complete the template for security keys and smart cards.

Complete the non-exportable template

  1. (WINDOWS ONLY) Go to the Request Handling tab and change the following settings:

    ParameterValue
    PurposeSignature and smartcard logon
    Allow private key to be exportedUnchecked
    Prompt the user during enrollmentSelected

  2. Go to the Subject Name tab and change the following settings:

    ParameterValue
    Build from this Active Directory informationChecked
    Subject name formatNone
    User principal name (UPN)Checked
    Important Security Patch Notice for Windows Server 2019 and 2022

    In January 2025, security patches were released for Windows Server 2019 and 2022. Unfortunately, one of these patches introduced an incompatible fix that caused issues with certificates containing empty 'Subject Name'.

    If you're running Domain Controllers on this patch version and cannot upgrade to a later security patch (February 2025 or later), Microsoft offers a Known Issue Rollback as a workaround. To apply this fix, please contact HYPR support for guidance.

  3. (WINDOWS ONLY) Go to the Extensions tab and edit Application Policies so that the only listed policies are Client Authentication and Smart Card Logon. (Remove any default policies as necessary)

  4. (WINDOWS ONLY) On the Cryptography tab:

    • Minimum key size: HYPR supports a minimum of 1024-bit encryption but recommends you use 2048-bit RSA private keys

    • Provider Category: Select Key Storage Provider

    • Choose which cryptographic providers can be used for requests: Select Requests must use one of the following providers

    • Providers: Check Microsoft Smart Card Key Storage Provider

  5. Select OK to close the Properties of New Template window and create the template.

After creating the template, issue it on the server and configure the HYPR Passwordless client to use the securityKeyCertTemplate parameter for security key and smart card pairings. See Installing Manually for parameter definitions.