We are using EAP-TLS for our wireless network. And were wondering, when a user makes a request for a certificate to authenticate they have the option to mark their private keys as exportable (We're using the mSOFT certification authority). This means they can move that certificate to another machine if they want. We want to stop this from being able to happen. When they make the request, I am the one that has to issue the certificate, but from what I can see in the MCA there is no way to see if they had that option checked. Does anyone know if it's possible and/or how to disable that ability? or do we have to switch to a different certification authority that supports it?