This release fixes the following bugs:

  • Fixed errors caused by some encryption algorithms for PKCS#8 private key files (reported by Osys)
  • Fixed bug in certificate extension viewer (unknown OID caused an error)
  • Fixed update check interval
  • Fixed default DN could not include empty RDNs
  • Fixed bug that caused an error when trying to access a PKCS#11 keystore under Java 9

This release includes the following bug fixes and enhancements:

  • Java 9: Fixed ECDSA signature problem with Brainpool curves (reported by Davyd Santos).
  • Java 9: Unable to launch on MacOS (reported by Nicolas Henneaux, partial fix by Frank Dietrich).
  • Certificate Extension Viewer: When an extension contained multiple URIs, everything after the first URI was not displayed.
  • Mac OS version: Removed version number from application name (requested by Don Montalvo).
  • The included Bouncy Castle library has been updated to version 1.58.

This release includes the following new features, enhancements and bugfixes:

New Flexible DN Chooser

In older versions of KSE the dialog for entering the Distinguished Name (DN) had a strict scheme of 7 commonly used name components (CN, OU, O, L, ST, C, E) in the commonly accepted order. It was not possible to use other name components like for instance SerialNumber (SN). Also, it was not possible to create a DN with more than one occurrence of the same attribute (especially OU is often used more than once in a DN).

The new DN chooser dialog allows to add and remove RDNs (relative distinguished names) at any position by clicking on the "+" and "-" buttons. For every RDN you can select one of the following name components:

  • Common Name (CN)
  • Organizational Unit (OU)
  • Organization (O)
  • Locality (L)
  • State (ST)
  • Country (C)
  • Email Address (E)
  • SerialNumber (SN)
  • GivenName (GN)
  • Surname (SURNAME)
  • DomainComponent (DC)

The new DN chooser dialog defaults to almost the same scheme as before (CN, OU, O, L, ST, C) with only email address removed (according to RFC 5280 it belongs in the SubjectAlternativeName extension).

Flexible Validity Date Selection

The validity of a certificate generated by KSE used to start at the point of time when it was issued. The certificate generation dialog only provided a setting for a validity period in years, months, weeks or days and the validity end date was calculated by adding this period to the current date and time. Most of the times this is sufficient. However, there are scenarios where it is necessary to create a certificate with a notBefore that lies in the past or in the future.

KSE 5.3 allows to freely select both validity start ("notBefore") and validity end ("notAfter").

The validity start defaults to the current date and time. Therefore the old behavior can now be achieved by selecting the wanted amount of years/months/weeks/days like before and then clicking the apply button. This sets the end date accordingly.

This new feature is a contribution by Michele Mariotti.

Other Enhancements

  • Added support for QcStatements OID (PKI Disclosure Statements) and OID (Type) for eIDAS certificates in certificate viewer (contributed by Jordi Pinzón)
  • Windows installer: Silent installation now possible (contributed by shivan)
  • Maximum key length for DSA keys is now 2048 (contributed by Luís Câmara)
  • Export certificate chain in PEM format (requested by several users)
  • Improved file name suggestions for OpenSSL key export in order to avoid name collisions (suggested by Daniel Mota Leite)
  • Improved German translation (mostly by Frank Dietrich)
  • Compatible with Java 9 now
  • Updated included Bouncy Castle library to 1.57


  • DNs with other components than CN, OU, O, L, ST, C, E and/or several occurences of the same name attribute are now properly displayed (reported by Tom Van Oppens)
  • Fixed EC private key export (reported by Karsten Ohme)
  • Serial number not limited to 32bit anymore (reported by Luís Câmara)
  • Fixed NPE when exporting a private key in MSCAPI keystore with DnD (reported by dmatob)

KeyStore Explorer Release 5.2.0, 5.2.1 and 5.2.2

KeyStore Explorer Release 5.1.0 and 5.1.1

KeyStore Explorer Release 5.0.0 and 5.0.1