Free X.509 Certificate Generator and Key Management Software

In this article, I will be introducing you to a free X.509 certificate generator and key management software. XCA (X – Certificate and Key management) is a free software designed for Windows and Mac operating systems. This software is used to create and manage a database of private keys, X.509 certificates, certificate requests, and certificate revocation list (CRL). It relies on MD5, RIPEMD 160, SHA 1, SHA 224, SHA 256, SHA 384, and SHA 512 signature algorithms to generate certificates. With the use of this free software, you will be able to create private keys of RSA, DSA, and EC types. These private keys are used in generating digital certificates. It can create self-signed and CA-signed host certificates.

In modern day, where online information sharing is a day to day practice, it is necessary to have information security intact. X.509 certificates are used in several Internet protocols (TLS/SSL) as well as offline applications (e-signature). It is used for multiple security goals such as Digital Signature, Non-Repudiation, TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, IP security end entity, Key Agreement, Encipher/Decipher, etc.

How to Create X.509 Certificate?

You are first required to create a database to create private keys and digital certificates. It offers added security to encrypt private keys (with a passphrase) which you are going to add in database. Four sizes of RSA and DSA private keys are generated which are 1024 bit, 2048 bit, 4096 bit and 8192 bit. You can select a curve for generating EC keys. It consists of a list of X9.62, SECG, NIST, etc. curves.

You may also import a PKCS#12 (.p12, .pfx) or PKCS#7 (.p7s, .p7m, .p7b) certificate file which contains private key and X.509 certificate. This software also offers an export feature which allows one to export private keys in multiple formats. You can export public and private parts of the key in PEM, DER, SSH2 formats. More formats to save private keys are PEM encrypted, PKCS#8 encrypted and PKCS#8 unencrypted.

This software lets you create and export PKCS#10 certificate requests and X509 certificates. You are required to fill and specify following details: signature algorithm, private key to use, internal name, X509v3 constraints, key identifier, X509v3 subject/issuer alternative names, key usage, validity (before, after), etc. It lets you select Netscape cert types such as SSL Client, SSL Server, S/MIME, Object Signing, SSL CA, S/MIME CA, Object Signing CA.

Certificate Export is given to export certificate to an external file. A list of supported files is:

  • PEM, PEM with Certificate chain, PEM all trusted Certificates, PEM all Certificates, DER, PKCS#7, PKCS#7 with Certificate chain, PKCS#7 all trusted Certificates, PKCS#7 all Certificates, PKCS#12, PKCS#12, PEM cert + key, PEM cert + PKCS8 key

Plus, you can generate a certificate revocation list (CRL) to revoke certificates. A CRL may be exported in .pem, .der, or .ics format.

XCA offers extra functions that are: dump database, export certificate index, export certificate index hierarchy, change database password. Two of its extra features that are noteworthy are Generate DH (Diffie Hellman) Parameters and OID Resolver.


In cryptography, digital certificates are used for ensuring multiple security goals. This free software named XCA is a useful X.509 certificate generator and also a key management software. Apart from these, some additional handy tools are offered in it which are discussed above. It is a free and open source software.

Also Check:



A Passionate blogger. Loves to learn about new technology.

Leave a Reply

scroll to top