Two key-specs are available for a private key in CSP:
Signature (to sign) and Exchange (ssl sessions - or sign + encryption).
To force a specific key spec we need to import a PFX with certutil using the following parameters:
certutil -importPFX test.pfx AT_SIGNATURE