Not only logon information but also certificates can be written to a token. Just the private part
of the certificate (.p12 file) can be saved on the token. However, users then can
only log on with the token. We recommend that you use PKI certificates.
You can assign authentication data to tokens as follows:
by generating certificates directly on the token
by assigning data which is already on the token
by importing certificates from a file
Note: CA certificates cannot be obtained from a token and stored in the database or certificate
store. If you use CA certificates, these need to be available as files and not just
on a token. This also applies to CRLs (Certificate Revocation List). Moreover, the
CA certificates must match the CRL before users can log on to the computers
concerned. Check that the CA and corresponding CRL are correct. SafeGuard Enterprise
does not carry out this check! SafeGuard Enterprise can then only communicate with
expired certificates if old and new keys are present on the same card.