Question:

Is it necessary to import certificate from USB token to Windows CertStore to sign with success?

If YES, is there a way to do it programmatically and obtain the CommonName to store somewhere for future use?

It will be very heavy for us to do it manually for each customer.

Answer:

Yes, the certificate from the certificate-based USB token must be installed to the Windows certificate store.  The underlying Microsoft CNG (Cryptographic Next Generation) API needs this to know where the private key is located, which is on the USB hardware token.  Unfortunately, I don’t know of a way to automate the installation of a USB token, or if it’s even possible.