When you request Key Encipherment and Key Agreement in the key usage - we strip off the Key Agreement flag by default. Here are the available flags: #define CERT_DIGITAL_SIGNATURE_KEY_USAGE 0x80 #define CERT_NON_REPUDIATION_KEY_USAGE 0x40 #define CERT_KEY_ENCIPHERMENT_KEY_USAGE
