https://support.certum.eu/en/how-to-activate-and-install-a-certum-code-signing-certificate-on-a-cryptographic-card-instructions/

• Short story: Must have the Certum Sign Service running, card open and reading in CardManager, and everything else is done in the web browser. The website generates the certificate, saves it to the card via the Sign Service, and nothing is done for the certificate generation in the CardManager program itself. Once the website talks to the card and generates the certificate, it then goes back to Certum for an automated validation and registration process (maybe 3 minutes?). Then the key is ready to be permanently installed to the card, again, using the web-based tool that talks to the card via the Sign Service.

Installing certificates from proCertum CardManager to Windows certificate manager (make sure CSP driver is used in proCertum!) https://www.reddit.com/r/opensource/comments/1fsb1nl/instructions_for_using_windows_signtoolexe_w/

• Short story: Must use CSP (Windows Cryptographic Service Provider) driver to access private key via Windows, then click "Register Certificates" to import private & public key into Windows Certificate store. (Maybe Minidriver works since program update? Maybe not? Use CSP...)
• Note: downloading the .pem or .cer does not help because those are only the public key- the private key is needed for signing!

Note re image: "Register Certificates" button only appears when using the CSP driver (select driver in CardManager options! May have changed with program update.... maybe Minidriver works for this now??). After registering to the Certificate Store, the icon next to "Open Source Developer" has both a certificate and a key indicating public and private keys are registered for signing.