Why is the user certificate for ( ISR ) supplied with a private key?

The private key for the user certificate is provided because
many users requested the private key so that the user certificate
can be added to the keyring with USAGE(PERSONAL) instead of the
previously required USAGE(CERTAUTH).

The private key is not required - but is supplied in the P12 package.
To use the user certificate without the private key, the ACF2 EXPORT
 command can be used. Then delete the certificate from the
ACF2 database and re-insert without the private key.

The certificate will then only have the public key.
If you reinsert the certificate into the database with a key of CERTAUTH.xxxxxx you will 
also be able to specify a virtual keyring to the ISR job.
This will enable  ALL CERTAUTH certificates to be returned without being
reference by name in the keyring.