• Comparing certificates - two ways to compare certificates have been added:
    1. Side-by-side textual comparison: By selecting two certificates in the main view and choosing "Compare" in the context menu, a summary of the most important certificate data and an ASN.1 dump of both certificates is displayed side by side and the differences are marked in a contrasting color (contributed by Jairo Graterón).
    2. Multiple certificate view dialogs: The certificate viewer dialog is now non-modal, which means several instances of this dialog can be kept open at the same time. This allows to view multiple certificates at the same time (contributed by Piotr Kubiak).
  • Added new configuration options:
    • Size of generated certificate serial number (contributed by dedabob)
    • FlatLaf macOS themes
  • Added functionality to examine JWT in system clipboard (contributed by Afonso Fernandes)
  • Added PBES2 algorithms as encryption options for PKCS#8 export of private keys:
    • PBES2 with SHA-1 and TDES
    • PBES2 with SHA-1 and AES-128
    • PBES2 with SHA-1 and AES-256
    • PBES2 with SHA-256 and AES-256
  • Added export button in private key view dialog (contributed by Jairo Graterón)
  • Added verify button in the CSR view dialog to check its signature
  • Added start of certificate validity as additional optional column for main table view (contributed by Björn Michael)
  • Improved certificate key usage and EKU dialogs by adding tooltips with additional details (contributed by The-Lum):
    • For the key usage extension the number of the bit (for example 0 for digitalSignature)
    • For extended key usage the OID of the key usage
  • Enlarged default size of ASN.1 dump window, hex dumps are now displayed in two columns of 8 bytes instead of one (contributed by The-Lum)
  • Added total number of revoked certs to CRL view
  • Added length info to OCTETSTRING and BITSTRING in ASN1 viewer
  • HTTP redirects for downloads of CRLs and CRTs are now supported (contributed by Jairo Graterón)
  • Made several adjustments to file extensions used as filters in file chooser dialogs and as default extensions for export files. The reasons were to adapt to existing official standards and also to avoid conflicts with other file types (thanks to Sergey Ponomarev for his investigations):
    • Changed default file extension for private key export as DER-encoded PKCS#8 from ".pkcs8" to ".p8" as this extension was registered with IANA (contributed by Sergey Ponomarev)
    • Changed default file extension for private key export as DER-encoded PKCS#1/ECPrivateKey from ".key" to ".privkey" (".key" is used for PGP/GPG files and also for Keynote presentations and there seems to be no "official" file extension for these formats)
    • Changed default file extension for public key export as DER-encoded RFC 5280 SubjectPublicKeyInfo from ".pub" to ".pubkey" (".pub" is used for MS Publisher files)
    • Changed default file extension for PEM-encoded files to ".pem" (usually in combination with a prefix for the actual content like ".p8.pem" or ".pubkey.pem)"
    • Added ".p8", ".p8e" and ".pk8" as file extension filters for selecting / importing PKCS#8 files (contributed by Sergey Ponomarev)
    • Added ".pem" as file extension filter to all file chooser dialogs that could possibly open PEM files
  • Changed dialogs for key pair generation and signing CSRs to display serial number as hex string
  • Improved certificate chain detection
  • Adjusted password quality meter to show more realistic results
  • Replaced IdenTrust's TSA with QuoVadis'
  • Improved handling of invalid PEM files
  • The certificates selection dialog is now resizable
  • Fixed typo in tooltips for public key fingerprint
  • Improved French translation (by The-Lum)
  • Improved German translation
  • Updated third-party libraries to latest versions, BC is now at version 1.77
Bug Fixes
  • Fixed handling of GeneralName/OtherName/UPN (reported by Björn Michael)
  • Fixed handling of explicitly specified EC curve parameters (reported by Arnieh)
  • Fixed calender selection issue in certificate generation dialog (reported by freedom1b2830)

UI Improvements
  • Improvements in public key details dialog:
    1. Added public key fingerprint with four algorithms:
      1. RFC 5280 SubjectKeyIdentifier (SKI) method 1
      2. RFC 5280 SubjectKeyIdentifier (SKI) method 2
      3. SHA-1 calculated over SubjectPublicKeyInfo ASN.1 structure
      4. SHA-256 calculated over SubjectPublicKeyInfo ASN.1 structure
    2. Improved detail infos for EC keys (showing the named curve and public key fields)
  • Redesigned Preferences dialog (contributed by Colbix)
  • Added a setting for PKCS#12 encryption to preferences. This allows to use a less secure encryption algorithm and is basically a workaround for Windows Server 2016 which does not support PBES2 with AES256, which is the standard encryption for PKCS#12 files in newer Java versions. This has no effect if the Java runtime still uses the old encryption algorithm.
  • Added "eye" (reveal) button on password fields (this works only with look&feel set to "Flat Light", "Flat Dark", "Flat IntelliJ" or "Flat Darcula")
  • Generate Certificate: New button "Transfer Name and Extensions" was added that allows to select an existing certificate as a template for the new one (contributed by Jairo Graterón)
  • List certificates dialog was improved, it reflects the main table now (contributed by Jairo Graterón)
  • The icons for expiry status in the main table do not only differ in color now but also in shape and symbols, making it easier for users with color deficiencies to differentiate between them.
Other Improvements
  • Added support for Base64 encoded DER keys/CSRs in "Examine File/Clipboard" (in addition to PEM and binary DER)
  • Added support for DN attribute "organizationIdentifier"
  • Updated JavaFXFileChooser to include setSelectedExtensionFilter (contributed by Colbix)
  • Updated DErrorCollection (contributed by Colbix)
  • Generated CSRs are now also copied to system clipboard
  • Improved focus order in DN chooser: You can now use the tab key to go to the next input field.
  • TSA list: Added (replacing
  • Updated libraries to latest versions, BC is now at version 1.72
  • Removed support for obsolete BKS-V1 keystore type
  • Removed obsolete hash algorithms: MD2, MD4, RIPEMD128, RIPEMD256

Bug Fixes
  • Fixed parsing of MsCrlNextPublish extension (reported by The-Lum)
  • Fixed UI freeze on auto update check when packets are dropped (reported by SanskritFritz)
  • PAC: included standalone Nashorn; replaced pac JS with Java code (reported by poel)
  • Fixed top left icon for ASN.1 dump window (reported by The-Lum)
  • Fixed detection of local JRE (reported by FranLa and Tabiskabis)

A new feature for signing JWT (JSON Web Token) has been contributed by Jairo Graterón. It came just a little too late for the 5.5.0 release, so it is included in this update:

The French translation has been extended and improved by The-Lum.

Bug fixes:

  • Fixed import of CA reply failing for EC keys (reported by Stanislav Izmalkov).
  • Incorrect display name CRL SELF CDP for OID on 'CRL Extensions' screen (reported by The-Lum).
  • Fixed missing menu item for certificate verification feature for trusted certificates (contributed by The-Lum).
  • Fixed issues with dark mode (namely "tip of the day" and "date picker" backgrounds) (reported by The-Lum).

This release includes the following new features, enhancements and bugfixes:

CRL Signing

Previous versions of KSE had some basic CA features like signing X.509 certificates, key creation, PKCS#10 requests, support for many X.509 extensions, extension profiles, but revokating certificates by creating/signing a certificate revocation list (CRL) has been missing so far.

This has changed in version 5.5.0. In the context menu of key pair entries is now a new item called "Sign CRL", which opens the dialog on the right.

Certificates can be added to the CRL in three ways:

  • By selecting a certificate from a keystore file.
  • By selecting a certificate file.
  • By selecting an older CRL from the same issuer certificate.

The generated CRL can then be saved to the file system in PEM or DER format.

The feature uses an automatically created file with the issuer serial number as its name and ".db" as its extension to save meta data like CRL serial number, the revoked certificates and the validity period. This makes creating subsequent CRLs much easier.

This feature was contributed by Jairo Graterón.

Certificate Validation

KSE can now do a certificate validation - including a check of the revocation status with four different methods.

This feature was contributed by Jairo Graterón.


Support for the (twisted) Edwards curves has been added. This includes key generation and EdDSA signature scheme:

  • Ed25519
  • Ed448

Choosing an elliptic curve that is both secure and efficient has not been easy in the past. The Edwards curves are therefore a useful addition to KSE.


In contrast to the older PKCS#1 v1.5 signature scheme the Probabilistic Signature Scheme (PSS) from PKCS#1 v2.1 is provably secure. This does not mean that the v1.5 scheme is unsecure, but PSS should be preferred if possible.

The PSS versions of the signature algorithms can be recognized by the appended "and MGF1":

  • SHA-1 with RSA and MGF1
  • SHA-224 with RSA and MGF1
  • SHA-256 with RSA and MGF1
  • SHA-384 with RSA and MGF1
  • SHA-512 with RSA and MGF1

CRL Distribution Points Extension

The CRL Distribution Points (CDP) extension is one of the standard certificate extensions from RFC 5280. With KSE being able to create CRLs, this extension is even more relevant now.

The extension can contain multiple distribution points and every distribution point has three optional fields:

  • One or more "General Names" (usually an URL pointing to the current CRL)
  • Reason Flags (for segmenting CRLs by reason code)
  • CRL Issuer (the distinguished name from the issuer field of the CRL)

This feature was contributed by Jairo Graterón.

Custom Certificate Extensions

When generating a certificate with KSE, a wide range of commonly used certificate extensions can be added. There are however some exotic or non-public extensions that are completely out of scope for a tool like KSE. With this new feature any extension can be added to a new certificate by entering the object ID (OID) of the extension and the value as a hex encoded string.

The value has to be entered as the hexadecimal encoding of the DER-encoded ASN.1 value of the extension without the encapsulating OCTET STRING tag and length bytes.


  1. The "OCSP No Check" extension is one of the most simple X.509 extensions because it has ASN.1 "NULL" as its value. Just leave the input field for the extension empty in this case.

    Object ID
    Value (empty)

  2. The old and obsolete Netscape extensions were removed in KSE 5.5.0 but you can still add them as a custom extension. The OID "2.16.840.1.113730.1.1" represents netscape-cert-type and 03020410 is the hexadecimal encoding of the DER-encoded ASN.1 value for type "Object Signing": BIT STRING (tag "03") with length "02" bytes, 4 unused bits ("04") and '10'H='00010000'B (bit 3 = Object Signing)

    Object ID 2.16.840.1.113730.1.1
    Value 03020410

  3. More complex extensions are of course also possible, it is only a matter of encoding the value correctly. For a CRL Distribution Points extension with URL "" you would enter the following OID and value:

    Object ID
    Value 302d302ba029a0278625687474703a2f2f646f64

This is definitely a feature for advanced users who know what they are doing, but it has been repeatedly requested.

Additional Name Components for Distinguished Names

The distinguished name (DN) chooser/viewer dialog has been extended with seven additional name components:

  • Name (OID
  • Street (OID
  • Title (OID
  • Initials (OID
  • Pseudonym (OID
  • DN Qualifier (OID
  • Generation Qualifier (OID

The first three were added by Jairo Graterón.

Sign Multiple Jars

With KSE 5.5.0 it is now possible to sign multiple jar files at once.

The browse button now opens a file chooser dialog that allows to select multiple files. Next to the button is an indicator showing the number of selected files.

As before it is possible to either replace the original jar file with the signed one or create a new file. In the latter case the file name of the signed jar is created by adding a prefix and/or a suffix. The suffix is added before the file extension.

This feature was contributed by Colbix.

Find KeyStore Entries

You can now search the current keystore.

The keyboard shortcut for "Examine File" (Ctrl-F) has been changed to Ctrl-E in KSE 5.5.0 so that the more intuitive Ctrl-F can be used for this new find feature.

Every keystore entry with a matching name is selected after the search was executed. The number of selected entries has been added to the status bar, which gives an overview of the search result, which is useful if not all found entries fit into the window.

This feature was contributed by Jairo Graterón.

Input Suggestions for Object Identifiers (OIDs)

OIDs are hard to remember and it is easy to make mistakes when entering them.

Wherever you can enter OIDs in KSE, this new feature makes suggestions that you can select from a drop down list. Of course - if none of the suggestions should match, you can still enter another OID just like before.

This feature was contributed by Jairo Graterón.

Diffie-Hellman Parameters

This new feature allows to create a Diffie-Hellman (DH) key exchange parameters PEM file that can be used for example in OpenVPN.

The Java implementation of the DH parameter generation is pretty slow, so especially for key sizes above 2048 OpenSSL is still the better tool for this task.

This feature was contributed by Colbix.

New Windows Launcher ("kse.exe")

KSE 5.5.0 comes with a completely new launcher executable for Windows. It was written especially for KSE and uses Bill Stewart's JavaInfo.dll for detecting Java installations.

The launcher searches for Java in the following locations in exactly this order:

  1. In a folder named "jre" next to kse.exe.
  2. In the paths where the environment variables JAVA_HOME, JDK_HOME and JRE_HOME point to.
  3. In the folders of the Path environment variable if there is a java.exe.
  4. The registry in the following locations:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Eclipse Foundation

New Windows Installer

The Windows installer for KSE is now made with InnoSetup and comes with the following improvements:

  • HKLM\SOFTWARE\Classes or HKCU\Software\Classes are used instead of HKEY_CLASSES_ROOT
  • kse.exe is added to "Software\Microsoft\Windows\CurrentVersion\App Paths"
  • A ProgId is created for selected file types
  • Values to OpenWithProgIds subkey are added for selected file types
  • Localization: You can choose your language for the installation (currently English and German)
  • Detection of a currently running KSE process
Also, there are two versions of the Windows installer now:
  • kse-550-setup.exe: This is the recommended version. It includes a custom, size optimized Java runtime (27 MB vs 160 MB).
  • kse-550-setup-no-jre.exe: This version is for those users who want to use a specific Java runtime with KSE.

Other Enhancements

  • Improved usage of JavaFX file chooser in various ways (contributed by Colbix)
  • ExamineClipboard works now also with URLs if they end with one of the following extensions: .cer, .crt, .pem and .crl (contributed by Jairo Graterón)
  • "Sign CSR" can save the certificate now in several formats
  • Added certificate serial number to configurable columns for main window
  • Added option to show hidden files in file chooser
  • Updated list of timestamp authorities (TSAs) in jar sign dialog
  • Certificate serial number is now shown as both hexadecimal and decimal in certificate viewer
  • SHA-256 is now default algorithm for signing jars, removed MD2/5
  • Added popup menu for multiple entry selection
  • Added handler for viewing files via system clipboard (copy file, then do "Examine System Clipboard")
  • Added jar/apk files to "Examine File" feature, which shows the signature certificates for signed jars (dragging and dropping a jar file onto KSE works as well)
  • Added SAN extension to SSL server template
  • Subject DNs can be empty now (explicitly allowed in RFC 5280)
  • Removed old Netscape extensions from AddExtensions dialog
  • Added OIDs of three private Apple certificate extensions to extension viewer
  • Increased maximum number of items in recent files menu from 6 to 9
  • Flat Laf Light is now the default theme for all platforms
  • macOS: Updated VAqua look&feel to v8
  • macOS: Updated DMG background image (144dpi, arrow, text)


  • Fixed display and entering of IP subnets (reported by Natan Abolafya and fix contributed by Jairo Graterón)
  • Fixed not remembering last used key type and size/curve in key generation dialog (reported by Benny Prange)
  • Fixed display name in ASN.1 view for UPN/ (reported by Michael Osipov)
  • Fixed bug when signing fat jars (reported by Pavel Yankelevich)
  • Workaround for display issue in verify function of jarsigner (reported by Pavel Yankelevich)
  • Fixed root node in certificate viewer selected instead of leaf (reported by chinkinsei and Maurice Perry)
  • Fixed scaling issue with splash image (reported by Kevin Herron)
  • Fixed error in file type detection (reported by Basti Schneider)
  • Fixed spacing in some dialogs

KeyStore Explorer Release 5.4.0, 5.4.1, 5.4.2, 5.4.3 and 5.4.4

KeyStore Explorer Release 5.3.0, 5.3.1 and 5.3.2

KeyStore Explorer Release 5.2.0, 5.2.1 and 5.2.2

KeyStore Explorer Release 5.1.0 and 5.1.1

KeyStore Explorer Release 5.0.0 and 5.0.1