Writing things down sometimes helps…
I think I understand it better but it still does NOT work.
When pressed, the NEO generates a 44-character long key.
The first 12 characters (6 bytes) are actually the Public Identity.
So, I keep the check-mark in the emit UID box (meaning the 12 characters get attached in front of the secret key.
Now I just put the secret key - last generated, 32 characters long - in the OTP Key field (16 bytes, AES compliant).
This is enough for the token to be allowed to enroll… Private Identity key is not used…
It does make sense. But still an error when testing. This time the message says “OTP verification failed”…