Requirements of certificate key usage when encrypting SSO data (SecureLogin) using PKI credentials

Using SecureLogin to encrypt SSO data using PKI credentials, are there any requirements for the certificate key usage?

Certificate key requirements

SecureLogin includes options for the encryption of SSO data using a passphrase and/or PKI credentials. If using PKI credentials, the public key is used to encrypt SSO data. The private key, stored on a PIN protected smart card, is used to decrypt SSO data.

SecureLogin checks if the certificate is valid for encryption. It verifies that either the "CERT_KEY_ENCIPHERMENT_KEY_USAGE" or "CERT_DATA_ENCIPHERMENT_KEY_USAGE" is set in the certificate’s x509 key usage field.  (This corresponds to the “Key Encipherment” and “Data Encipherment” key usages.)

If a certificate on the smart card with either these key usages exist, it will be used by SecureLogin to encrypt SSO data. If multiple certificates exist, the correct certificate can be specified using certificate selection criteria.