Thanks for correcting me, I vaguely remember external key generation being possible/done but google is being useless at helping me find where I read about it.
External key generation could still make sense as Estonian ID card were suspectible to the Infineon bug. One workaround to that bug would be generating the key in software and putting it on the card. (I'm not saying that's the case, but merely that it may make sense.)
