The other day a customer of mine was creating certificate requests with a code like the following: How to create a certificate request with CertEnroll and .NET (C#). He wanted to set the certificate's Key Usage to Digital Signature instead of Key Encipherment. So he did something like this in his code:
objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
But even after doing that, the enrolled certificate showed Key Encipherment usage. The cause of this was their custom certificate template, which was configured for Key Encipherment instead of Signing, thus overriding the settings we were configuring in our code. We modified the template and the code worked as expected.
I hope this helps.
Alex (Alejandro Campos Magencio)