Yes, you're looking in the wrong place. The option is on the certificate request form, but only if you are using Internet Explorer, not with Thunderbird. When applying for a certificate using Internet Explorer, there is a request to allow the Active-X Control "Certificate Enrollment Control". When it installs, a link for Advanced Private Key Options appears immediately above the section for the Revocation Password. Clicking on the link opens a form with options for CSP, Key Size, Exportable, and User Protected. When Firefox is used with the default rendering engine, there is only an option for key size. Using the IE engine in Firefox for the same page gets the advanced options link.