A key pair is usually generated in software in the user's browser, the public part is incorporated in the certificate request and this is signed with the secret part in order to provide proof of the authenticity of the public key. The secret key is then stored in the computer and password protected (usually in a PKCS #12 container).

In contrast, TeleSec NetKey/ IDKey introduces key pairs that were created in T-Systems' trust center in a highly secure key generator. This key generator can only export these keys to appropriate TCOS chips. This export is cryptographically secure enough to prevent any possibility of keys being intercepted. There can therefore be no key copies.

Middleware integrates NetKey/ IDKey into the operating system platform in a way that ensures that the public key material of the TCOS smartcard is used when an application requests a key pair.