Our new national ID cards (called 'citizen card') here in Portugal work like that.
They have a keypair and the private part is never transmitted out of if: the card itself can (when plugged in a reader) sign and encrypt data sent to it. So it's secure even when using a public (not trusted) machine; I mean, it can spy on your connection, but it can't clone the key.
The certificate can be used in browsers to login to websites that support it or any other applications that implement the right PKCS standard.
They have a keypair and the private part is never transmitted out of if: the card itself can (when plugged in a reader) sign and encrypt data sent to it. So it's secure even when using a public (not trusted) machine; I mean, it can spy on your connection, but it can't clone the key.
The certificate can be used in browsers to login to websites that support it or any other applications that implement the right PKCS standard.