The private key is created using the DigiSign Utility on the client system.
A key request is sent to the Certifying Authority (RSA, usually) who uses
the request (based on the private key created on the client) to create a
corresponding public key. This is placed in a signer approval file & sent
back to the client. The user then uses the DigiSign Utility on the client
system to merge the signer approval file with the private key and create a
signer containing both key pairs.