That's right - store the private part of the key only on physical tokens, not on the server, not in the registry. Especially when it comes to GOST.
What is the purpose of your event - accounting or mobile use? If there is a reasonable amount of certificates, then you should not bother further than a regular table. The main thing you need to monitor is the expiration date of the certificate and to whom it was issued. When accounting for an ES, it is necessary to record both the name of the subject and the username of who uses the ES (it is not necessary to do this, but it happens), and the number of the carrier / token, which means that carriers must also be taken into account separately.
Buy tokens for offices and make copies (this is also not correct, but it will allow you to work in different places). Better yet, issue an ES to each person in charge and a power of attorney for the type of work.

Why does the IT department have to do this?
Banking, for tax, etc. EDS is received, used, stored and tracked.
EDS for trading floors - salesmen and buyers. And they are tracking.
In principle, you do not need to store other people's EDS. Well, money will leave the account to the left - do you want to be extreme along with your department?

If you have Persian. employee data - it means it is already ISPD. And this means that there is a non-zero probability that the inspectors will come with instruction 152 FAPSI at the ready and make you a bo-bo.
Everything must be done according to it, the rest is a game with the state "who has a higher jet." The state always wins, for some reason.

You are overcomplicating. Restricted folder. There are keys and a textbook with a description. If panic is panic and you don’t need to stop re-issuing something (although panic is usually the domain of accounting), create a reminder in your calendar that will yell for a month / for a week.

Colleagues, why didn't anyone mention the Excel + calendar link? In excel we keep a list and record of what is, and in the calendar we put a reminder about the deadlines for the expiration of certificates and digital signatures. I have such a bunch of works for 3 years and everything is ok. And no extra information in the public domain and release dates will be lost ....