The Certificate Token lets you enroll an x509 ceritificate by the given CA.
The server will create the private RSA key and store it in the database. You can later download the PKCS#12 file.