For each user, the CSP usually maintains two public/private key pairs. These keys are maintained from session to session.
The key exchange key pair (also known as the exchange key) is used to encrypt session keys so that they can be safely stored and exchanged with other users. This is discussed in detail in Exchanging Cryptographic Keys.
The digital signature key pair (also known as the signature key) is used to sign hashes of data. This is discussed in detail in Hashes and Digital Signatures.
There are a number of reasons for having two separate key pairs. For example, some CSP developers may opt to use one algorithm for key exchange and another for digital signatures. This is because some digital signature algorithms are unsuitable for encryption or key exchange, and vice versa. Also, if some data (for example, a session key) is both signed and encrypted with the same key pair, subtle weaknesses could be introduced that make the data vulnerable.
The exchange key and the signature key pairs are created by calling the CryptGenKey function and specifying either AT_KEYEXCHANGE or AT_SIGNATURE. The CSP implements these keys in an application-independent manner. Applications do not have access to the details about the algorithm used.