When creating new smart cards using FIM/MIM CM, it's not clear where the private key is actually generated. Ideally it should be generated on the card's hardware and only the public key shipped to the server to create the certificate. I can find little documentation on this subject.
Moreover, if the keys are generated on the card, does the option to 'Generate encryption keys on server' change that behavior?
Bryan Berns