http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cenroll.asp ; This seems to be the solution, it needs to be tested: cec.addAttributeToRequest(0,"1.3.6.1.4.1.18506.1.1","THISISAQUALIFIEDREQUEST") cec.addExtensionToRequest(FALSE,"1.3.6.1.4.1.18506.1.1","THISISAQUALIFIEDREQUEST") cec.addNameValuePairToRequest(0,"1.3.6.1.4.1.18506.1.1","THISISAQUALIFIEDREQUEST") ; This might help too: cec.addCertTypeToRequest("qstr:ThisIsAQualifiedRequest") ;For testing: cec.createFileRequest(XECR_PKCS10_V2_0,DN,OID,"C:\MyRequest.p10") BOOL bUEKS; HRESULT hr; // pEnroll is previously instantiated ICEnroll interface pointer // get the UseExistingKeySet value hr = pEnroll->get_UseExistingKeySet( &bUEKS ); if (FAILED( hr )) printf("Failed get_UseExistingKeySet - %x\n", hr ); else printf( "UseExistingKeySet: %d\n", bUEKS ); // set the UseExistingKeySet value hr = pEnroll->put_UseExistingKeySet( TRUE ); if (FAILED( hr )) printf("Failed put_UseExistingKeySet - %x\n", hr ); else printf( "UseExistingKeySet set to TRUE\n" );