Feature Comparison for GUI KeyStore Managers

We have made a comparison of the features between CERTivity® KeyStores Manager and the most relevant similar products. The features are organized in categories, each category initially showing all features.

Although this comparison was made by EduLib, the creator of CERTivity, we tried to be as objective and fair as possible. If you have any comments or suggestions, do not hesitate to contact us.

You can download this comparison in PDF format also.

Feature NameCERTivity
2.0
Keystore
Explorer
5.0.1
Portecle
1.7
KeyTool
IUI
2.4.1
Released Date2014-01-232013-11-242011-01-232008-10-18
Maintained
PlatformsOn any Platform That Can Run JavaOn any Platform That Can Run JavaOn any Platform That Can Run JavaOn any Platform That Can Run Java
Has bundled JRE
Has installer
KeyStore
Management
Supported Java KeyStore TypesJKS, JCEKS, PKCS12, BKS, BKS-V1, UBERJKS, JCEKS, PKCS12, BKS, UBERJKS, PKCS#12, JCEKS, JKS (case sensitive), BKS, UBER, GKR
(but option is inactive)
JKS, JCEKS, PKCS#12, BKS, UBER
Create a New KeyStore
Open an Existent KeyStore
Open Windows Root CA KeyStore
Open Windows User KeyStore
Discover JREs CA TrustStores
Open JREs CA TrustStoresOnly main JREOnly main JREOnly main JRE
Save a KeyStoreIt's done automatically after some operations
Defining a Default KeyStore(planned for future releases)
Convert KeyStore Type
Change KeyStore Password
Delete Entry
Change Entry Password
Change Entry Alias
Cut/Copy - Paste Single KeyStore EntryAllows only cloning a certificate into the same
KeyStore.
Allows only copying a certificate into the same
KeyStore
Cut/Copy - Paste Multiple Entries
TrustStore
Management
Set/Remove CA Certs TrustStore at runtime without
restarting the application
Set Multiple TrustStores for Trust Path Validation
Availability to use JRE CA Certs TrustStores (from
discovered JREs) for Trust Path Validation
Availability to use Windows KeyStores (for Microsoft
Windows Systems) for Trust Path Validation
(only Windows Root CA)
Availability to use Custom KeyStores for Trust Path
Validation
(only if the CA Certs is changed to a custom one)(only if the CA Certs is changed to a custom one)
Availability to use current opened (and selected) KeyStore
for Trust Path Validation
Display Trust Status for Certificate Entries in
KeyStores
Display Trust Status for Opened Certificates
Customizable Trust Path Validation Options Without
Restarting the Application
Available Trust Path Validation OptionsInhibit any policy, Explicit policy required, Inhibit
policy mapping, Use revocation checking, Use policy qualifier
processing, Use path length constraint (with customizable path
length size), Use custom validation date, Provider selection
(default provider or Bouncy Castle provider)
Interface
Usability
MDI Interface for KeyStores
MDI Interface for Certificates/CRL/CSR
KeyStore RepresentationTree List (Entries are displayed as a list of expandable
nodes) Available SubItems for KeyPairs : Private/Public Keys,
Certificate Chains, Certificates, Extensions Available Subitems
for Certificates: Public Key, Extensions
Simple List (entries are not expandable)Simple List (entries are not expandable)Simple List (entries are not expandable)
Available Entries Direct InformationAlgorithm and Size, Expiry Date, Last Modified, Validity
Status, Trust Status
Algorithm and Size, Expiry Date, Last Modified, Validity
Status
Alias Name, Last ModifiedFor Key Pairs and Certificates: Alias, Entry Type, Valid
Date, Self-Signed, Trusted C. A., Key Size, Cert. Type, Cert. Sig.
Algorithm, Modified Date For Secret Keys: Alias, Entry, Modified
Date
Mark Locked Keys
Mark Expired Key Pairs/Certificates
Mark Certificate Trust Status
Mark Key Pairs with Key sizes smaller than a configurable
value
Undo/Redo for KeyStore Operations and Imports
Prompting to re-enter password in case of wrong password
for unlocking Private/Secret Keys
Prompting to re-enter password in case of wrong password
when converting a KeyStore to a different type (operation does not
fail)
Informing when a Key Store which contains Secret Keys can
not be converted to a Key Store type that does not support Secret
Keys before entering all the passwords
Converts with removing secret keys (it gives a slight
warning first)
Prompting for passwords when converting from a KeyStore
type which does not support passwords to a KeyStore type which
supports entry passwords
Displaying Entry Information ModeBottom Panel (And few details in the KeyStore View)New Dialog (And few details in the KeyStore View)New Dialog (and few details in the KeyStore View)New Dialog (text based content)
Allows rearranging Key Store/Certificate tabs
Configurable Arrangement and Positioning of Tabs
Configurable Tabs Position by Dragging
Window Configuration OptionsMaximize, Float, Float Group, Minimize, Minimize Group,
Dock, Dock Group, New Document Tab Group, Collapse Document Tab
Group
Multiple KeyStore Entries Selection
Multiple KeyStore Entries Copy - Paste between
KeyStores
Copy a Certificate From a Certificate Chain and Paste It
Into Another KeyStore
Configurable Key Shortcuts (Keymap)
Displaying Providers List(planned for future releases)
"Close All Documents" Option
Opened Tabs Manager
Opened Tabs Manager OptionsSwitch to Document, Close Document(s)
Easy Tab Selector Drop list
Available Actions/Options Tree Like Structure(planned for future releases)
Quick Search (with text box)
Change Look And Feel(planned for future releases)
Password Strength Indicator(planned for future releases)
Show tips at startup(planned for future releases)
Key Pair
Operations
Generate Key Pair (RSA/DSA)
Regenerate Key Pair
Sign With Selected KeyPair at Generation Time
Key Pair Generation - Signature Algorithms (for DSA
Keys)
SHA1 With DSA, SHA224 With DSA, SHA 256 With DSA, SHA 384
With DSA, SHA 512 With DSA
SHA.1 with DSA, SHA-224 with DSA, SHA-256 With DSA, SHA-384
with DSA, SHA-512 with DSA
SHA1withDSA, SHA224withDSA, SHA256withDSASHA1withDSA
Key Pair Generation - Signature Algorithms (for RSA
Keys)
MD2 with RSA, MD5 with RSA, SHA1 with RSA, SHA1 With RSA
and MGF1, SHA224 With RSA, SHA224 With RSA and MGF1, SHA256 With
RSA, SHA256 With RSA and MGF1, SHA384 With RSA, SHA384 With RSA
and MGF1, SHA512 With RSA, SHA512 With RSA and MGF1, RIPEMD128
With RSA, RIPEMD160 With RSA, RIPEMD256 With RSA
MD2 with RSA, MD5 with RSA, RIPEMD-128 with RSA, RIPEMD-160
with RSA, RIPEMD-256 with RSA, SHA.1 with RSA, SHA-224 with RSA,
SHA-256 With RSA, SHA-384 with RSA, SHA-512 with RSA
MD2withRSA, MD5withRSA, SHA1withRSA, SHA224withRSA,
SHA256withRSA, SHA384withRSA, SHA512withRSA, RIPEMD128withRSA,
RIPEMD160withRSA, RIPEMD256withRSA
MD5withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA,
RIPEMD128withRSA, RIPEMD160withRSA, RIPEMD256withRSA
Generate Key Pair (EC)
Key Pair Generation - EC AlgorithmsEC(ECDSA), ECGOST3410EC(ECDSA)
Key Pair Generation - EC Parameters Specification (for
ECDSA Algorithm)
c2pnb272w1, c2tnb191v3, c2pnb208w1, c2tnb191v2, c2tnb191v1,
c2tnb359v1, prime192v1, prime192v2, prime192v3, c2tnb239v3,
c2pnb163v3, c2tnb239v2, c2pnb163v2, c2tnb239v1,, c2pnb163v1,
c2pnb176w1, prime256v1, c2pnb304w1, c2pnb368w1, c2tnb431r1,
prime239v3, prime239v2, prime239v1, sect233r1, secp112r2,
secp112r1, secp256k1, sect113r2, secp521r1, sect113r1, sect409r1,
secp192r1, sect193r2, sect131r2, sect193r1, sect131r1, secp160k1,
sect571r1, sect283k1, secp384r1, sect163k1, secp256r1, secp128r2,
secp128r1, secp224k1, sect233k1, secp160r2, secp160r1, sect409k1,
sect283r1, sect163r2, sect163r1, secp192k1, secp224r1, sect239k1,
sect571k1, B-163, P-521, P-256, B-233, P-224, B-409, P-384, B-283,
B-571, P-192, brainpoolp512r1, brainpoolp384t1, brainpoolp256r1,
brainpoolp192r1, brainpoolp512t1, brainpoolp256t1,
brainpoolp224r1, brainpoolp320r1, brainpoolp192t1,
brainpoolp160r1, brainpoolp224t1, brainpoolp384r1,
brainpoolp320t1, brainpoolp160t1
prime192v1, prime239v1, prime256v1
Key Pair Generation - EC Parameters Specification (for
ECGOST3410 Algorithm)
GostR3410-2001-CryptoPro-A, GostR3410-2001-CryptoPro-XchB,
GostR3410-2001-CryptoPro-XchA, GostR3410-2001-CryptoPro-C,
GostR3410-2001-CryptoPro-B
Key Pair Generation - Signature Algorithms (for ECDSA EC
Keys)
SHA1withECDSA, SHA224withECDSA, SHA256withECDSA,
SHA384withECDSA, SHA512withECDSA
SHA1withECDSA,, SHA224withECDSA, SHA256withECDSA,
SHA384withECDSA, SHA512withECDSA
Key Pair Generation - Signature Algorithms (for ECGOST3410
EC Keys)
GOST3411 with ECGOST3410
Key Pair Generation CERT X.500 DN FieldsCommon Name (CN), Organization Unit (OU), Organization (O),
Locality (L), State (ST), Country (C), Email (E)
Common Name (CN), Organization Unit (OU), Organization (O),
Locality (L), State (ST), Country (C), Email (E)
Common Name (CN), Organization Unit (OU), Organization (O),
Locality (L), State (ST), Country (C), Email (E)
Common Name (CN), Organization Unit (OU), Organization (O),
Locality (L), State (ST), Country (C), Email (E)
Standardized DN Country Codes (2 letter code)
support
Key Pair Generation CERT X.500 DN Fields (extended)(planned for future releases)Title, Device serial number name, Business category, DN
qualifier, Pseudonym, 1-letter gender, Name at birth, Date of
birth, Place of birth, Street, Postal code, Postal address,
2-letter country of residence, 2-letter country of
citizenship
Key Pair Generation CERT X.520 Name(planned for future releases)Surname, Given name, Initials, Generation, Unique
Identifier
Import Key Pair into KeyStore (from PKCS#12 Files)
Import Key Pair into KeyStore (from PKCS#8 private key and
Certificate)
Import Key Pair into KeyStore from OpenSSL private key and
certificate)
Import Key Pair into KeyStore (from PVK private key and
Certificate)
(planned for future releases)
Import Key Pair into KeyStore (from PEM private key and
Certificate Chain)
Import Key Pair into KeyStore (from other KeyStore)(planned for future releases)
Import Key Pair into KeyStore from a Private Key and More
Certificate Files (which can create a chain)
Export Key Pair (PKCS#12)
Export Key Pair (PEM Encoded)(planned for future releases)
Extend Validity of Self-Signed KeyPairs
Enter New Serial Number When Extending Validity of
Self-Signed Certificates
Certificates
Operations
Open a standalone certificate/Examine standalone
certificate
Open a Certificate Chain/Examine Certificate Chain
View Certificate Details
View Certificate Details From Signature(only Certificate Type and Subject DN, for each signed
entry, for JAR files)
Available Certificate DetailsFormat, Version, Serial Number, Valid From/To, Public Key,
Extensions, Signature Algorithm, Multiple Fingerprints,
Subject/Issuer Information (CN, OU, O, L, ST, C, E), PEM,
ASN.1
Version, Serial Number, Valid From/Until, Public Key,
Signature Algorithm, Multiple Fingerprints, Subject/Issuer
Information (CN, OU, O, L, ST, C, E), Extensions, PEM,
ASN.1
Chain position and total number of certificates in the
chain, Version, Serial Number, Valid From/Until, Public Key,
Signature Algorithm, Fingerprints, Subject/Issuer DN String,
Extensions, PEM Encoding
Owner (Subject DN String), Issuer (Issuer DN String),
Version, Serial Number, Valid From/Until, Signature Algorithm,
Fingerprints, Extensions
Available FingerprintsMD2, MD4, MD5, SHA1, RIPEMD-128, RIPEMD-160, RIPEMD-256,
SHA-224, SHA-256, SHA-384, SHA-512
MD2, MD4, MD5, RIPEMD-128, RIPEMD-160, RIPEMD-256, SHA-1,
SHA-224, SHA-256, SHA-384, SHA-512
SHA1, MD5MD5, SHA.1
View PEM Representation for a Certificate
View ASN.1 for a Certificate
Import Certificate from files into KeyStore
Import Root CA Certificate (directly into the Root CA certs
KeyStore)
(planned for future releases)
Import Certificate into a KeyStore directly from
Certificate Details Dialog
(planned for future releases)
Import Certificate into KeyStore with trust path
validation
(manual validation)
Import Certificate from Server into KeyStore
Import Certificate from Signature into KeyStore
Export Certificate
Export Certificate From Signature to file (JAR, APK, PDF,
XML)
Export Certificate Supported FormatsX.509, X.509 PEM Encoded, PKCS#7, PKCS#7 PEM Encoded, PKI
Path
X.509, X.509 PEM Encoded, PKCS#7, PKCS#7 PEM Encoded, PKI
Path, SPC
DER Encoded, PEM Encoded, PKCS#7, PkiPathDER, PKCS#7, PEM
Export Certificate Chain(only when exporting with private key also)
Export Certificate Chain Supported FormatsPKCS#7, PKCS#7 PEM Encoded, PKI PathPKCS#7, PKCS#7 PEM Encoded, PKI PathPKCS#7, PkiPathDER, PEM
Obtain the Revocation Status
Retrieve Certificate From SSL ServerTLSv1, TLS v1.1, TLS v1.2 and default algorithmTLSv1, TLS v1.1, TLS v1.2TLSv1 (SSLv 3.1)
Retrieve Certificate From SSL Server (additional connection
info)
(planned for future releases)Connection Protocol, Connection Cipher Suite
Retrieve Certificate From SSL Server using HTTPS URL (not
host and port specifically)
Test Certificates on Given Protocol
View Associated CRL
Append signer certificate to key pair certificate
chains
Remove signer certificate from key pair certificate
chains
Rename Certificate
Delete Certificate
Renewal of CertificateOnly when the certificate is within a Key Pair
Certificate
Extensions
View Certificate Extensions
View ASN.1 for a Certificate Extension
Add Certificate Extensions when generating a new
KeyPair
Add Certificate Extensions to CA Replies
Save Certificate Extensions Template
Save Certificate Extensions Template as XML
Available Certificate ExtensionsAuthority Information Access, Authority Key Identifier,
Basic Constraints, Certificate Policies, CRL Distribution Points,
Extended Key Usage, Freshest CRL, Inhibit Any Policy, Issuer
Alternative Name, Key Usage, Name Constraints, Netscape Cert Type,
Private Key Usage Period, Policy Constraints, Policy Mappings,
Subject Alternative Name, Subject Information Access, Subject
Directory Attributes, Subject Key Identifier.
Authority Information Access, Authority Key Identifier,
Basic Constraints, Certificate Policies, Extended Key Usage,
Inhibit Any Policy, Issuer Alternate Name, Key Usage, Name
Constraints, Netscape Base URL, Netscape CA Policy URL, Netscape
CA Revocation CRL, Netscape Certificate Renewal URL, Netscape
Certificate Type, Netscape Comment, Netscape Revocation URL,
Netscape SSL Server Name, Policy Constraints, Policy Mappings,
Private Key Usage Period, Subject Alternative Name, Subject
Information Access, Subject Key Identifier
(many only for display, but not specified anywhere)(many for display) For Key Pair Creation: Key Usage,
Extended Key Usage
Extensions display at creation time (GUI Point of
view)
Tree - like Structure where all extensions, properties and
sub-items are visible in a single dialog
List of extensions, each one opening in a different dialog
for setting properties, and each sub-item opens also in a
different dialog
Certificate Authority
Functions
Check PKI file type
Certificate Signing made easier using “Select as CA Issuer”
and “Sign Certificate by ” actions
Certificate chain management: append and remove signer
certificate (with Copy/Paste/Delete/Undo/Redo functionality
included)
(supported only from menu without Copy/Paste)
Generate Certificate Signing Request (CSR) files
Sign Certificate Signing Request (CSR) files
Import CA Reply
Trust verification when Importing CA Reply
Trust verification when Importing CA Reply (with user
confirmation when trust is not established)
Act as a testing purposes CA (by generating CSR files,
signing CSRs and importing CA Replies
CSR
View CSR Details/Examine CSR(only PEM display)
Available CSR DetailsFormat, Version, Public Key (with details available),
Signature Algorithm, Subject (CN, OU, O, L, ST, C, E), Challenge,
CSR Dump (PEM)
Format, Public Key (with details available), Signature
Algorithm, Subject (CN, OU, O, L, ST, C, E), Challenge, CSR Dump
(PEM, ASN.1)
Version, Subject DN String, Public Key (Algorithm and
size), Signature Algorithm, PEM
PEM
Generate CSR Files
Generate CSR Files Supported FormatsPKCS#10, SPKACPKCS#10, SPKACPKCS#10 (probably)PKCS#10
CRL
View CRL Details/Examine CRL
View Remote CRLs
Protocols Supported for Opening Remote CRLsHTTP, HTTPS, FTP, LDAP
Available CRL DetailsType, Version, This Update, Next Update, Signature
Algorithm, Issuer (CN, OU, O, L, ST, C, E), Extensions, ASN.1,
Revoked Certificates (+Extensions)
Version, Issuer (CN, OU, O, L, ST, C, E), Effective Date,
Next Update, Signature Algorithm, Extensions, ASN.1, Revoked
Certificates (+Extensions)
Version, Issuer DN String, Effective Date, Next Update,
Signature Algorithm, Extensions, Revoked Certificates
(+Extensions)
View CRL Extensions
Next Update Exeeded Verification
CA Reply
Import CA Reply With Trust Path Validation
View CA Reply Details(Only if opened as a certificate and browse through the
chain)
(Only if opened as a certificate, and browse through the
chain)
(Only if opened as a certificate, and you can browse
through the chain)
Create CA Reply
Secret Key
Operations
Available Secret Keys InformationAlgorithm, Last ModifiedAlgorithm, Key Size, Last ModifiedLast ModifiedModified date
View Secret Key Details(planned for future releases)Algorithm, Format, Size, Value in hexa
Generate Secret Key
Secret Key Supported AlgorithmsAES, AESWrap, ARCFOUR, BlowFish, Camellia, Cast5, Cast6,
DES, DESede, DESedeWrap, GOST28147, Grainv1, Grain128, HC128,
HC256, Noekeon, RC2, RC4, RC5, RC5-64, RC6, Rijndael, Salsa20,
Seed, Serpent, Skipjack, TEA, Twofish, VMPC, VMPC-KSA3, XTEA,
HmacMD2, HmacMD4, HmacMD5, HmacRIPEMD128, HmacRIPEMD160, HmacSHA1,
HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacTIGER
AES, ARC4, Blowfish, Camellia, CAST-128, CAST-256, DES,
DESEDE, GOST 28147-89, Grain v1, Grain-128, HC-128, HC-256,
HMac-MD2, HMac-MD4, HMac-MD5, HMac-RipeMD128, HMac-RipeMD160,
HMac-SHA1, HMac-SHA224, HMac-SHA256, HMac-SHA384, HMac-SHA512,
HMac-Tiger, NOKEON, RC2, RC5, RC6, Rijndael, Salsa20, Serpent,
SEED, Skipjack, TEA, Twofish, XTEA
AES, ARCFOUR, Blowfish, DES, DESede, HmacMD5, HmacSHA1,
HmacSHA256, HmacSHA384, HmacSHA512, RC2
Provider Selection for Generation Available
Offers Supported Key Sizes for Each Algorithm
Import Secret Key From File(planned for future releases)
Export Secret Key To File(planned for future releases)
Export Secret Key To File Format(planned for future releases)DER, PEM
Private Key
Operations
View Private Key Details
Available Private Key Details (for DSA)Algorithm, Key Size, Fields (Basic Generator G, Prime
Modulus P, SubPrime Q, Private Key Value; ), ASN.1
Algorithm, Key Size, Fields (Prime Modulus P, Prime Q,
Generator G, Secret Exponent X), ASN.1
Key Size
Available Private Key Details (for RSA)Algorithm, Key Size, Fields (Modulus, Private Exponent,
Public Exponent, CRT Coefficient, Prime Exponent P, Prime Exponent
Q, Prime Modulus P, Prime Q), ASN.1
Algorithm, Key Size, Format, Encoded, Fields (Public
Exponent, Modulus, Prime P, Prime Q, Prime Exponent P, Prime
Exponent Q, CRT Coefficient, Private Exponent), ASN.1
Key Size
Available Private Key Details (for ECDSA /
ECGOST3410)
Algorithm, Key Size, Parameters Specification, Fields
(Private Value S, Cofactor, First Coefficient A, Second
Coefficient B, Field Size, Seed, Generator Affine X-Coordinate,
Generator Affine Y-Coordinate, Generator Order), ASN.1
Algorithm, Key Size (for ECDSA only), Format, Encoded,
ASN.1
Key Size (for ECDSA only)
Export Private Key(but only together with certificate file)
Export Private Key Supported FormatsPKCS#8, PKCS#8 PEM Encoded, Open SSL PEM EncodedPKCS#8, PKCS#8 PEM Encoded, PVK, OpenSSL PEM
Encoded
DER, PEM
Export Private Key Encryption Algorithms (PKCS#8)PBE_SHA1_2DES, PBE_SHA1_3DES, PBE_SHA1_RC2_40,
PBE_SHA1_RC2_128, PBE_SHA1_RC4_40, PBE_SHA1_RC4_128
PBE with SHA.1 and 2 key DESede, PBE with SHA.1 and 3 key
DESede, PBE with SHA.1 and 40 bit RC2, PBE with SHA.1 and 128 bit
RC2, PBE with SHA.1 and 40 bit RC4, PBE with SHA.1 and 128 bit
RC4
Export Private Key Encryption Algorithms (OpenSSL)AES-128-CBC, AES-128-CFB, AES-128-ECB, AES-128-OFB, BF-CBC,
BF-CFB, BF-ECB, BF-OFB, DES-CBC, DES-CFB, DES-ECB, DES-EDE-CBC,
DES-EDE-CFB, DES-EDE-ECB, DES-EDE-OFB, DES-EDE, DES-EDE3-CBC,
DES-EDE3-CFB, DES-EDE3-ECB, DES-EDE3-OFB, DES-EDE3, DES-OFB,
RC2-40-CBC, RC2-64-CBC, RC2-CBC, RC2-CFB, RC2-ECB, RC2-OFB
PBE with DES CBC, PBE with DESede CBC, PBE with 128 but AES
CBC, PBE with 192 bit AES CBC, PBE with 256 bit AES CBC
Public Key
Operations
View Public Key Details
Available Public Key Details (for DSA Keys)Algorithm, Key Size, Fields (Basic Generator G, Prime
Modulus P, SubPrime Q, Public Key), ASN.1
Algorithm, Key Size, Format, Encoded, Fields (Prime Modulus
P, Prime Q, Generator G, Public Key Y), ASN.1
Available Public Key Details (for RSA Keys)Algorithm, Key Size, Fields (Modulus, Public Exponent),
ASN.1
Algorithm, Key Size, Format, Encoded, Fields (Public
Exponent, Modulus), ASN.1
Available Public Key Details (for ECDSA / ECGOST3410
Keys)
Algorithm, Key Size, Fields (Basic Generator G, Prime
Modulus P, SubPrime Q, Public Key), ASN.1
Algorithm, Key Size, Format, Encoded, ASN.1
Export Public Key
Export Public Key Supported FormatsOpen SSL, Open SSL PEM EncodedOpen SSL, Open SSL PEM Encoded
Sign and Verify
Verify Signatures for JAR Files
Verify Signatures for APK Files
Verify Signatures for PDF Files
Verify Signatures for XML Files
Verify XML Signature - allow using external cert.
validation
Verify XML Signature - set use external cert. validation
and embedded cert. validation order
Verify XML Signature - allow selecting the external cert.
from file or from a given KeyStore entry (from KeyStore
file)
Sign JAR Files
JAR Signing - Signature AlgorithmsSHA.1 with DSA, MD2 with RSA, MD5 with RSA, SHA.1 with RSA,
SHA.1 with ECDSA
SHA.1 with DSA, MD2 with RSA, MD5 with RSA, SHA.1 with
RSA
SHA.1 With DSA, SHA.1 With RSA
JAR Signing - Digest AlgorithmsMD2, MD5, SHA.1, SHA224, SHA256, SHA384, SHA512MD2, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512SHA.1
JAR Signing - Add Full Manifest Digest Attribute
Configurable
Sign APK Files
APK Signing - Signature AlgorithmsSHA.1 with DSA, MD2 with RSA, MD5 with RSA, SHA.1 with
RSA
SHA.1 with DSA, MD2 with RSA, MD5 with RSA, SHA.1 with
RSA
APK Signing - Digest AlgorithmsMD2, MD5, SHA.1, SHA224, SHA256, SHA384, SHA512MD2, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
APK Signing - Add Full Manifest Digest Attribute
Configurable
Sign XML Files
XML Signing - Signature TypesEnveloped, Enveloping, DetachedEnveloped
XML Signing - Digest AlgorithmsSHA1, SHA256, SHA512
XML Signing - Canonicalization AlgorithmsInclusive, Inclusive With Comments, Exclusive, Exclusive
With Comments
XML Signing - Allow Attaching Key To Signature
XML Signing - Allow Attaching Certificate To
Signature
Sign PDF Files
PDF Signing - Signature Subfiltersadbe.pkcs7.sha1, adbe.x509.rsa_sha1,
adbe.pkcs7.detached
Sign CSR Files/Create Certificate from CSR
Prevention for Signing CSR Files by the Same Key Pair That
Created Them
CSR Signing - Signature AlgorithmsSHA.1 with DSA, SHA224 with DSA, SHA256 with DSA, SHA384
with DSA, SHA512 with DSA, MD2 with RSA, MD5 with RSA, SHA.1 with
RSA, SHA.1 with RSA and MGF1, SHA224 with RSA, SHA224 with RSA and
MGF1, SHA256 with RSA, SHA 256 with RSA and MGF1, SHA384 with RSA,
SHA 384 with RSA and MGF1, SHA512 with RSA, SHA512 with RSA and
MGF1, RIPEMD128 with RSA, RIPEMD160 with RSA, RIPEMD256 with
RSA
SHA.1 with DSA, SHA-224 with DSA, SHA-256 With DSA, SHA-384
with DSA, SHA-512 with DSA, MD2 with RSA, MD5 with RSA, RIPEMD-128
with RSA, RIPEMD-160 with RSA, RIPEMD-256 with RSA, SHA.1 with
RSA, SHA-224 with RSA, SHA-256 With RSA, SHA-384 with RSA, SHA-512
with RSA
Sign J2ME MIDlet Applications Files
Verify Detached Signature - CMS(planned for future releases)
Sign With Detached Signature - CMS(planned for future releases)
Detached Signature - CMS Formats - CMS Signature
File
(planned for future releases)P7M, P7S
Detached Signature - CMS Formats - CMS Certs-only
file
(planned for future releases)P7C
Detached Signature - CMS Formats - digest
algorithms
(planned for future releases)SHA1, SHA224, SHA256, SHA384, SHA512, MD5, RIPEMD128,
RIPEMD160, RIPEMD256
Verify Detached Signature - Other(planned for future releases)
Sign Detached Signature - Other(planned for future releases)
Detached Signature - Other Formats - Signature File(planned for future releases)DER, PKCS#7, PEM
Detached Signature - Other Formats - Certificate
File
(planned for future releases)DER, PKCS#7, PEM
Allow signing using any Key Pair irrespective of
Certificate extension
Suggest candidate KeyPairs for signing (the ones that have
the right extensions for their certificates)
(planned for future releases)
Encrypting Files
Encrypt file using Secret Key
Encrypt file using RSA trusted certificate
Encrypt file using private key
RSA Encryption AlgorithmsRSA/ECB/PKCS1Padding, RSA/NONE/PKCS1Padding,
RSA/NONE/OAEPWithSHA1 AndMGF1Padding
Other
KeyStore Persistence between sessions
KeyStore Persistence typeFully persist (name and passowrd), Only KeyStore names, No
persistence
Open Files Using Drag & Drop
File Types Supported For Drag & DropKeyStore, Certificate, CSR, CRL irrespective of the file
extension
KeyStoreOnly based on extension: KeyStore, Certificate, CSR,
CRL
Supported KeyStore file extensionscacerts, ks, jks, jce, p12, pfx, bks, ubr, keystoreks, keystore, jks, jceks, bks, uber, pfx, p12ks, jks, jceks, p12, pfx, bks, cacertsubr, jks, ks, jce, bks, pfx, p12
Open Recent Files(maximum 4 files)
Remember last file directory between sessions
Remember last file directory for each specific action
(Opening a Key Store, a Certificate, etc.)
KeyStore Properties (Tree - like entries
structure)/KeyStore Report
(planned for future releases)
KeyStore Properties - Export structure in text and XML
formats)
(planned for future releases)(copy in memory)
Set Password Quality(planned for future releases)
Configure/Set Internet Proxy(planned for future releases)
View Cryptography Strength/Policy Details
Detection of Cryptography Strength Policy Limitation when
Launching the Application
(planned for future releases)
GUI Support for Upgrading Cryptography Strength
Support for Manual Upgrading Cryptography Strength in case
automatic upgrade fails
Customizable PropertiesCertificate expiry notification interval, RSA Key Pair
minimum allowed size, RSA Key Pair maximum allowed size, RSA Key
Pair default size, Autogenerated certificate serial number maximum
bit length, Undo level, Log level, Memory usage maximum threshold
level, Keystore persistence type, Recent file list maximum size,
JRE CA KeyStore list max size, Certificates Retriever connection
type, Inspected and draggable file size limit
Set CA Certificates Key Store, Minimum Password Quality,
Look And Feel, Internet Proxy, Trust Checks
Import/Export Configuration Properties
Add extension to file name on export, if the name does not
contain an extension from the selected file filter
Password Manager (remember passwords after
unlocking)
Archiving directories into JAR/APK files(planned for future releases)
OS File Associations(planned for future releases)(only for KeyStores)

The usage of electronic services such as electronic banking, electronic commerce or virtual mails becomes more commonplace in the present. Therefore there is an increasing need for using digital certificates to establish authenticity, digital signatures, or encryption of personal data. This requires the ability to handle cryptographic material such as private / public key pairs, secret keys, or digital certificates, in other words, the ability to create key pairs and store them into different keystores, or exporting only the certificate into another keystore, the possibility to use a private key to digitally sign a document, and many others. These can be achieved easily using CERTivity due to its intuitive GUI and structure.

The following scenario can give a hint of how easy it is to work with key pairs and certificates in CERTivity.

The user wants to generate a self-signed key pair, store it into a KeyStore, and then, copy only the certificate from the self-signed key pair and store it into a different keystore (for example the cacerts keystore, or another truststore like the Windows Root CA KeyStore).

Such a scenario can be found frequently in real life. For example, we can suppose we have a server in Java and we need to connect with a Windows Client (which could simply be the browser or a custom Windows client) and the SSL layer is used. When using connections over the SSL layer, the authentication is performed using a private key and a public key. Usually the private key resides on the server side, while the public key is found on the client side. So that is why, it is important that after creating a key pair to be able to separate the private keys and certificates easily (as the certificates contain the public key).

The above mentioned scenario can be performed with other existing tools as well, but the steps needed to accomplish this would require creating the key pair and storing it into the keystore, then exporting the certificate into a file and then importing it again from the file into the truststore.

In CERTivity, this can be done in few steps without using any auxiliary files or export and import operations, just clipboard operations. We will consider that the KeyStore into which the key pair will be generated is opened and it is called “my-keypairs.jks”, and that we will want to copy the certificate into the Windows Root KeyStore.

The steps are the followings:

  1. Create a new self-signed key pair. Having the “my-keypairs.jks” keystore opened and focused, use the menu KeyStore > Generate Key Pair, or the Generate Key Pair toolbar button to open the dialog for creating new self-signed key pairs.Step1 Generate Key Pair

    The following dialog appears, allowing the user to provide the needed information for generating the keys and the certificate.

    Step1 Generate Key Pair Dialog

  2. Expand the newly created key pair node in the KeyStore (by clicking on the “+” sign in front of the key pair entry), and also expand the Certificates Chain node. The new generated certificate will be visible.Step2 Expand Key Pair Node
  3. Select the certificate node and copy it (by right clicking on it and selecting the Copy menu, or by using the CTRL + C shortcut.Step3 Select and Copy Certificate
  4. Open the Windows Root CA KeyStore. This can be done very easy in CERTivity, as it has a dedicated menu for that: File > Open > Open Windows Root CA KeyStore.
  5. Having the Windows Root CA KeyStore opened and focused, paste the copied certificate node (by using CTRL + V or Edit > Pastemenu. When inserting a certificate into the Windows Root CA KeyStore, there is a security warning displayed by the operating system informing that a certificate will be installed, and asking for the user's permission:Step5 OS Security Warning

    After clicking yes, the certificate will be imported into the Windows Root CA KeyStore, as it can be seen in the screenshot below:

    Step5 Certificate Pasted in Windows Root CA KeyStore

As it could be seen, to accomplish the above scenario, no “export to file” and “import from file” operations were needed, so this eases the work of the user a lot. In the example above we used for the trust store the Windows Root CA KeyStore, but the steps are the same for any other KeyStore, with the exception of the security warning issued by the Windows operating sistem, which only appears on Windows systems when inserting a certificate in to the Windows Root CA Truststore.

This was only one simple example of how things can be done easier using CERTivity, due to its user-friendly GUI, the way it is organized and due to the features that it provides, but there can be many more.

There are often situations in which we get to a website on a secure connection and the browser informs us that the website's security certificate is not trusted using a warning message similar to the one below (which can be seen when using Google Chrome browser):

Certificate not Trusted

This happens mostly when accessing websites of companies that are using internal CA certificates which are self-signed or are not signed by a known and recognized certificate signing authority. To be able to view these kind of websites, the certificate has to be trusted.

When clicking on “Help me understand” link, we will see some additional information about the problem, and in the last paragraph it is explained briefly without any details what should be done to avoid the security warning and access the website safely.

“If, however, you work in an organization that generates its own certificates, and you are trying to connect to an internal website of that organization using such a certificate, you may be able to solve this problem securely. You can import your organization's root certificate as a "root certificate", and then certificates issued or verified by your organization will be trusted and you will not see this error next time you try to connect to an internal website. Contact your organization's help staff for assistance in adding a new root certificate to your computer.“

Although the information is correct, it is not specified how one can import the organization's root certificate as a “root certificate”. More than this, some additional tools might be required to perform the necessary operations (like a tool for retrieving certificates from a SSL server, and a tool for inserting the obtained root certificate into the Windows Root CA KeyStore). Even with Internet Explorer you have to do more operations and export the CA Root certificate in a file, and then import it by opening that file from Windows Explorer and selecting import in one of the many locations. It is easy to get it wrong. This is where CERTivity comes in handy. Using CERTivity, adding a new root certificate to your Windows OS is easier and fast.

The main idea is to obtain the organization's root certificate and to insert it into the Windows Root CA KeyStore. To do that, one has to use the built-in SSL Certificates Retriever function to obtain the root certificate, and to import it into the Windows Root CA KeyStore, which can also be accessed easily through CERTivity. In more details, the simple steps that have to be performed using CERTivity are the following:

  1. Open the Windows Root CA KeyStore (if not already opened). This can be done very easy in CERTivity, as it has a dedicated menu for that: File > Open > Open Windows Root CA KeyStore.
  2. While having the Windows Root CA KeyStore opened and focused, open the SSL Certificates Retriever. This can be done using the menu KeyStore > SSL Certificates Retriever (as seen in the screenshot below) or by using the SSL Certificates Retriever button from the toolbar.Open SSL Certificates Retriever MenuThe SSL Certificates Retriever dialog will open allowing the user to retrieve the certificate from server:

    SSL Certificates Retriever Dialog

    This dialog allows retrieving certificates either by inserting a HTTPS URL, either by entering the host and port of the server from which the certificate should be retrieved.
    When inserting a HTTPS URL, the host and port will be automatically extracted and the “Host name” and “Port” fields will be filled in. The default port used for HTTPS is 443, but a custom port can also be specified by putting it in the URL according to the URL specification.
    If the user wants to use a certain host name and port number and does not have a HTTPS URL, he can do that by selecting the second radio button below “URL (HTTPS)”, which will enable the “Host Name” and “Port” fields, and inserting or modifying the host name or port number according to his desire.After providing the required information, press “Retrieve certificates” button. In this example the URL https://jira.edulib.ro was used for retrieving the certificates:

    SSL Certificates Retriever Certificate Retrieved

    In this case, the response from the server is actually a chain of certificates, which starts with the organization's root certificate - “CA Cert Signing Authority” which we need to import into the Windows Root CA KeyStore. Any of the certificates from the chain can be imported as well if needed.

  3. Select the certificate to be imported into the Windows Root CA KeyStore and press “Import to KeyStore”. The user will be prompted to enter an alias for the certificate. The name of the certificate will be used as a suggestion.SSL Certificate Retriever Import Certificate Under a Specified Alias

    When importing a certificate into the Windows Root CA KeyStore, there is a security warning displayed by the operating system informing that a certificate will be installed, and asking for the user's permission:

    SSL Certificate Retriever Security Warning shown when Importing Certificate

    After clicking “Yes”, the certificate will be imported into the Windows Root CA KeyStore. The Open SSL Certificate Retriever dialog can be closed now by pressing “Close”.The new imported certificate will be visible into the Windows Root CA KeyStore, as it can be seen in the screenshot below:

    SSL Certificates Retriever with Imported Windows Root CA KeyStore

  4. After performing these simple steps to import the certificate, restart the browser for the changes to take effect. The security warning will no longer be displayed allowing to view the desired website.

    Certificate Trusted

    The organization root certificate can also be imported in a similar way into the Windows Root CA KeyStore from a different KeyStore if it exists already in a KeyStore using copy – paste operations. Also, it can be copied from a KeyPair, in a way similar to the one described in the post Simplifying key pair and certificate management operations with CERTivity.