Tools Menu

Using the Tools menu, you can change:

Using the filter of the Options Panel, consisting of a text field in the top right corner of the Options Panel, the matched tab from the available options is activated. The matching is based on the name of the options and sometimes based on the values of the options.

Main Options

The Main Options of the application are the following:

  • Certificate expiry notification period (default 30 days), meaning that if a certificates valid interval ends before the current date + the notification period a certain visual element will alert you;

  • RSA Key Pair default size (default 1024),- the default size for RSA keys which will be used when generating a RSA Key Pair. Change it for your convenience;

  • RSA Key Pair max size (default 4096) - you won't be able to generate a key Pair having more bits than this value. This prevents bigger values that would require a great CPU time to generate;

  • Auto generated Certificate serial number max bit length (default 20);

  • Undo level - the number of undo levels for each opened KeyStore (default 20);

  • Log level;

  • Memory usage warning max threshold, meaning the percentage of used memory after which a warning message will be displayed (default 90);

  • KeyStore persistence - the type of persistence for opened KeyStores when exiting the application. CERTivity® can remember the KeyStores which are opened when the application exits, and reload them again when the application is launched next time. There are two options available:

    • Persist only KeyStore file name - meaning that only the name (and path) of the previously opened KeyStores will be remembered to be reopened on the next launch. The passwords of the KeyStores will not be remembered, and you will be prompted to enter the password for each of them when selecting each KeyStore tab first time (recommended);

    • Fully persist - meaning that the name and password of the KeyStores will be remembered so that the KeyStore to be reopened when launching the application, without prompting you for the passwords of the KeyStores. The passwords are stored in an encrypted way.

    Although the "Fully persist" option makes the application more friendly, use this option with care and only when you are sure the machine is exclusively accessible by you;

  • Recent File list max size - sets the list maximum size for the most recently used files (default 10);

  • JRE CA KeyStore list max size - sets the list maximum size for JRE CA KeyStore list (default 10);

  • Certificates Retriever connection type - sets the connection type used when retrieving certificates, the combo-box being populated with all connection types available for the Java version used;

  • Inspected and draggable file size limit (default 2048 KB) - sets the size limit for the files inspected using the "Inspect File" action and for the drag and drop action.

Trust Path Options

The user has the possibility to set the TrustStores which should be used for establishing trust when importing a certificate from different sources, when importing a CA Reply, or when displaying the trust status for certificate entries in the KeyStore view. Also, the user has the possibility to set a series of Trust Path validation options.

The Trust Path Options have 2 main categories:

TrustStores Selection

A TrustStore is basically a KeyStore which contains Trusted Certificate Entries.

CERTivity allows setting more TrustStores which can be chosen from the JRE CA TrustStores discovered on the current machine, from the Windows Native KeyStores (if running on a Microsoft Windows system), or from a custom KeyStore which you can select that can act like a TrustStore. Also, you have the option to set as a TrustStore the current active KeyStore. The current active KeyStore is the KeyStore which is opened and focused at the moment of starting an operation (such as importing a certificate, importing a CA Reply, etc.).

A screenshot of the TrustStores Selection panel which allows selecting one or more TrustStores (as it can be seen), is depicted below:

As it can be seen, there are 4 categories of TrustStores: CA Certs KeyStores, Windows KeyStores, Other KeyStores and Current KeyStore. Each of these categories can be disabled or enabled by clicking on the corresponding checkbox. The selections made within each category will not be lost when unselecting the category from its checkbox.

In the situation in which some CA Certs KeyStores are not found anymore, they will not be displayed when opening the Options panel.

To add a custom KeyStore, select Add KeyStore button. A file chooser dialog will be opened and you will be able to select a KeyStore. Any type of KeyStore from the ones supported by CERTivity can be selected here. To remove a KeyStore, select the KeyStore from the list and press Remove selected.

For the new TrustStores that you add or select, you will be prompted to enter the passwords of the KeyStores only if the KeyStores have not been opened in the current run of CERTivity, or if they are not currently opened. Also, you will be prompted to enter the passwords only when they will be needed first time. For example, when closing the Options dialog by pressing OK, if there is no KeyStore opened in background, you will not be prompted to enter the passwords of the new TrustStores that you selected right away. You will be prompted to enter them when you will open a KeyStore, or a Certificate from file, or when performing any other action which will need the TrustStores for trust validation.

Also, if the password of a TrustStore is changed from outside CERTivity, you will be prompted again to enter the password when that TrustStore will be reloaded from the file.


When prompted to enter a password, if you select "Cancel" or you close the dialog, the TrustStore will be unselected, and it will not be used again until you select it again (going to Options > Trust Path Options > TrustStores Selection).

Trust Validation Options

When establishing the Trust Path for trust validation, there are more parameters which can be taken in consideration. Some of them are configurable, and the user has the possibility to set them according to his needs by going to the Trust Validation Options tab.

The Trust Validation Options panel looks like in the screenshot below:

As it can be seen, the user can set the following options:

  • Inhibit any policy

    Default value: unselected;

    If selected, any policy OID will be inhibited if it's included in a certificate;

  • Explicit policy required

    Default value: unselected;

    If selected, an acceptable policy needs to be explicitly identified in every certificate;

  • Inhibit policy mapping

    Default value: unselected;

    If selected, policy mapping will be inhibited;

  • Use revocation checking

    Default value: unselected (using the Default provider), unavailable (using the Bouncy Castle provider);

    If selected, the default revocation checking mechanism of the underlying service provider will be used (if the Default provider is selected and if the Default provider supports revocation checking). The Bouncy Castle provider does not support revocation checking, so this option is disabled for the Bouncy Castle provider. Also, in the situation in which the Default provider option is selected and the only available provider is Bouncy Castle, revocation checking will not work;

  • Use policy qualifier processing

    Default value: selected;

    If selected, the most common (and simplest) strategy for processing policy qualifiers will be used.

  • Use a path length constraint of n certificates

    Default value: unselected;

    If selected, it sets the number of non-self-issued (non self-signed) intermediate certificates that may exist in a certification path. The last certificate in a certification path is not an intermediate certificate and it is not included in this limit.

    A negative value set implies that the path length is unconstrained. This is equivalent with unselecting the "Use a path length constraint of ..." check-box.

    A value of 0 certificates implies that the path can only contain a single certificate.

    The default maximum path length is 5.


    If the check-box is unselected, the value from the text field will be ignored and the path length will be unconstrained.

  • Use this date for validationF

    Default value: unselected;

    If selected, it sets the time for which the validation of the certification path should be evaluated. If not selected, the current date and time (at the moment of performing the validation) will be used.

    When setting a date, the entered date format must be ISO 8601.

    The default value of the date field is the current date and time in ISO 8601 format.

Also, the user has the possibility to set the provider that will be used for Trust Path validation. The user can choose either the default provider (which is the first provider from the system where CERTivity runs which supports the Trust Path validation operations), either the Bouncy Castle provider. The Bouncy Castle provider supports almost all the Trust Path validation operations with some limitations. It does not support revocation checking ("Use revocation checking" option will be disabled). Also, if the default provider is selected but the only available provider is Bouncy Castle, revocation checking will not work.

Advanced Options

Here are some advanced options that can be set to enhance some CERTivity features.


Keep in mind that you must be fully aware of what you are doing before modifying these options, otherwise changes can lead to unexpected behaviour.

The Advanced Options panel looks like in the screenshot below:

The automatic JCE Unlimited Strength Jurisdiction Policy Files installation wizard needs some parameters that can be set here:

  • Download URL

    Specifies the link to the Oracle site from where the JCE Unlimited Strength Jurisdiction Policy Files need to be downloaded. The page that displays from following this link should have the link to the JCE files (e.g.: for JRE 7, the link is

  • File download pattern

    Pattern identifying the direct authenticated link to the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. When clicking on download, the browser is redirected to other page, that is the final, authenticated direct download link (e.g.: for JRE 7, the identifying pattern can look like this: ".zip?AuthParam=", because the link is identifying a "zip" file and it has an "AuthParam" parameter). You can insert multiple patterns. If so, they must be separated by a semicolon (;). In case of using multiple patterns, the operator that will be used between those patterns can be set here (AND meaning all of the specified patterns must match or OR meaning only one of the specified patterns must match).

Other settings:

  • Use Secure Validation for XML Signatures

    When set to true, this option instructs the implementation to process XML signatures more securely. This will set limits on various XML signature constructs to avoid conditions such as denial of service attacks.

    When set to false, the property instructs the implementation to process XML signatures according to the XML Signature specification without any special limits.


Enabling this option when using Java version 1.7.0_25 or greater will lead to failure when verifying detached XML signatures!


For non Oracle JVM's or Java versions lower than 1.7.0_25 this option will be disabled, since it has no effect, meaning that for Java versions lower than 1.7.0_25, XML signatures are processed without any special limits;

Other Options

  • Defined KeyBoard shortcuts (use Keymap);

  • Appearance options (use Miscellaneous).