Which kind of certificate is needed for unlocking token-protected keychain

I use a usb smartcard for login to macOS, this works quit well. In the past I used a selfsigned certificate generated by the smartcard. This certificate was also used for unlocking the token-protected keychain. This also worked fine.

Now I want to replace this certificate with officially signed personal certificate from one of the trust centers like COMODO, enTrust, Globalsign etc.

So I generate a test certificate installed it on the smartcard and use sc_auth to pair my user again with the new certificate. This worked fine for the login, but it did not work for the keychain. When I try to pair it, I get the following error (see screenshot).

When I go back and use a selfsigned certificate the pairing works again, also for the keychain.

So, my consideration is, that something is missing in the certificate.

Is there anybody out there how has an idea what's going wrong here?

ciao

mr_drlove