If key pairs and certificates are not stored on smart cards, they must be kept in a local key store on the mail user’s computer (client machine). Their browser provides the key store and also has commands to download a key pair and certificate to the key store. The key store may be password-protected; this depends on the browser.
Libraries from the vendor of the browser are required on the user’s computer to support a local key store. See 24.8 Key Access Libraries for the Client Machines for more information.