Release 5.6.1 3 Jan 2026$$$This release includes the following improvements; new algorithms; translations and bugfixes:$$$$$$Verification of JAR Files$$$Signing JAR files has been part of KSEs functionality for a long time. Now it is also possible to verify the signatures of signed JAR files.$$$$$$This can be done via the Verify JAR File Signature menu item in the Tools menu.$$$$$$After selecting a signed JAR file; KSE will display the details of the signatures found in the JAR file and indicate whether the signatures are valid or not.$$$$$$The verification details are very similar to the output of the jarsigner -verify command (see for example jarsigner - example of verifying a signed jar file).$$$$$$The details include:$$$$$$the overall signature status$$$for each file in the JAR the name; size; date and verification flags$$$a button to show further details about the signatures (a jar can have multiple signatures)$$$a button to show the certificates$$$The meaning of the verification flags are probably already known from jarsigner but here is a short explanation (the same explanation is displayed in the tooltip when you hover over the flags column header):$$$$$$s = signature was verified$$$m = entry is listed in manifest$$$k = at least one certificate was found in keystore$$$$$$Post Quantum Cryptography (PQC) Algorithms: ML-DSA; ML-KEM and SLH-DSA$$$KSE now supports the ML-DSA and SLH-DSA signature and key algorithms. These algorithms are part of the NIST standardization process for post-quantum cryptography (PQC).$$$$$$Supported are the following operations with these algorithms:$$$$$$key pair generation$$$signing certificates; CSRs; CRLs; JARs and arbitrary files$$$import and export of private and public keys$$$viewing key details$$$In addition to that KSE also supports generating ML-KEM keypairs; but only in certificates that are signed with another key pair (as ML-KEM is a key encapsulation mechanism and not a signature algorithm). This is achieved by using the Sign New Key Pair feature in the context menu of a signature key and selecting ML-KEM as the key algorithm for the new key pair. The result is basically the same as using the keytool commands described in JEP 496.$$$$$$SM2 and ECGOST$$$KSE now supports the SM2 and ECGOST signature and key algorithms. These algorithms are widely used in China (SM2) and Russia (ECGOST). They are elliptic curve algorithms and can therefore be used by selecting the EC key type with the respective curve set in the key generation dialog.$$$$$$SM2 is currently only supported for keystore files of type BKS; BCFKS and UBER.$$$$$$Supported are the following operations with these algorithms:$$$$$$key pair generation$$$signing certificates; CSRs; CRLs; JARs and arbitrary files$$$import and export of private and public keys$$$viewing key details$$$$$$Improved Key Pair Import$$$In previous releases the user had to select the format of the key in the key pair import dialog; e.g. PKCS#8; PKCS#12; OpenSSL etc. Sometimes it was not clear which format to select. Or in some cases the files had a wrong file extension that did not match the actual format. This lead to confusion and import errors.$$$$$$Now the key pair import dialog automatically detects the format of the key to import.$$$$$$In addition to that it is now possible to import key pairs without a matching certificate. In Java keystores key pairs are always associated with a certificate chain. But if the key pair has no certificate yet; KSE now creates a self-signed certificate automatically during the import process.$$$$$$If you leave the certificate fields empty and click the Import button; KSE will ask whether a self-signed certificate should be created.$$$$$$Offering the generation of a self-signed certificate if none was provided was a contribution by Jairo Graterón.$$$$$$Store a Password in a KeyStore$$$With keytool you can store arbitrary passwords/passphrases in a keystore using the -importpass command. KSE now supports this feature as well.$$$$$$The passphase entries can

GUI replacement for the Java command-line utilities keytool and jarsigner

GUI replacement for the Java command-line utilities keytool and jarsigner

GUI replacement for the Java command-line utilities keytool and jarsigner

GUI replacement for the Java command-line utilities keytool and jarsigner

Release 5.6.0 - 17 May 2025$$$This release includes the following new features; enhancements; translations and bugfixes:$$$$$$KeyStore Password Manager$$$The KeyStore password manager is a new feature that allows to store and manage passwords for keystore files. In combination with the new password generator it is now very easy to create and open keystores without having to type long passwords.$$$$$$The password manager can be used by selecting the checkbox Store this keystores passwords in KSEs password manager when creating a new keystore or opening an existing one. This decision is on a per-keystore basis and it includes all passwords of this keystore; but it can be changed later.$$$$$$On the first use of the password manager; a global password for the password manager must be set. This password is used to encrypt the passwords stored in the password manager.$$$$$$In the preferences dialog a new section has been added for the configuration of both the password manager and the password generator.$$$$$$In the next releases; more configuration options for the password manager will be added.$$$Key Export in JWK Format$$$The JSON Web Key (JWK) format is a JSON representation of cryptographic keys. It is defined in RFC 7517 and is used in many modern web applications.$$$$$$KSE can now export public and private keys in JWK format. Supported are currently RSA and EC keys (no Ed25519).$$$$$$This feature was contributed by tenpertur.$$$$$$Verification of JWT Signatures$$$In one of the last releases; KSE introduced a viewer for JWT (JSON Web Token) files; which can be used via the Examine File or Examine Clipboard menu items.$$$$$$This JWT viewer can now also verify the signatures of JWT files. This is done by pasting a public key in encoded as PEM or Base64 DER into the public key field of the JWT viewer and then clicking the verify button. Supported are RSA and EC keys and the corresponding signature algorithms (RS...; ES... and PS...).$$$$$$This feature was contributed by Jairo Graterón.$$$$$$For more details refer- https://keystore-explorer.org/releases.html$$$

Release 5.6.0 - 17 May 2025$$$This release includes the following new features; enhancements; translations and bugfixes:$$$$$$KeyStore Password Manager$$$The KeyStore password manager is a new feature that allows to store and manage passwords for keystore files. In combination with the new password generator it is now very easy to create and open keystores without having to type long passwords.$$$$$$The password manager can be used by selecting the checkbox Store this keystores passwords in KSEs password manager when creating a new keystore or opening an existing one. This decision is on a per-keystore basis and it includes all passwords of this keystore; but it can be changed later.$$$$$$On the first use of the password manager; a global password for the password manager must be set. This password is used to encrypt the passwords stored in the password manager.$$$$$$In the preferences dialog a new section has been added for the configuration of both the password manager and the password generator.$$$$$$In the next releases; more configuration options for the password manager will be added.$$$Key Export in JWK Format$$$The JSON Web Key (JWK) format is a JSON representation of cryptographic keys. It is defined in RFC 7517 and is used in many modern web applications.$$$$$$KSE can now export public and private keys in JWK format. Supported are currently RSA and EC keys (no Ed25519).$$$$$$This feature was contributed by tenpertur.$$$$$$Verification of JWT Signatures$$$In one of the last releases; KSE introduced a viewer for JWT (JSON Web Token) files; which can be used via the Examine File or Examine Clipboard menu items.$$$$$$This JWT viewer can now also verify the signatures of JWT files. This is done by pasting a public key in encoded as PEM or Base64 DER into the public key field of the JWT viewer and then clicking the verify button. Supported are RSA and EC keys and the corresponding signature algorithms (RS...; ES... and PS...).$$$$$$This feature was contributed by Jairo Graterón.$$$$$$For more details refer- https://keystore-explorer.org/releases.html$$$

GUI replacement for the Java command-line utilities keytool and jarsigner

GUI replacement for the Java command-line utilities keytool and jarsigner

Release 5.5.3 29 Dec 2023$$$Improvements$$$Comparing certificates - two ways to compare certificates have been added:$$$Side-by-side textual comparison: By selecting two certificates in the main view and choosing Compare in the context menu; a summary of the most important certificate data and an ASN.1 dump of both certificates is displayed side by side and the differences are marked in a contrasting color (contributed by Jairo Graterón).$$$Multiple certificate view dialogs: The certificate viewer dialog is now non-modal; which means several instances of this dialog can be kept open at the same time. This allows to view multiple certificates at the same time (contributed by Piotr Kubiak).$$$Added new configuration options:$$$Size of generated certificate serial number (contributed by dedabob)$$$FlatLaf macOS themes$$$Added functionality to examine JWT in system clipboard (contributed by Afonso Fernandes)$$$Added PBES2 algorithms as encryption options for PKCS#8 export of private keys:$$$PBES2 with SHA-1 and TDES$$$PBES2 with SHA-1 and AES-128$$$PBES2 with SHA-1 and AES-256$$$PBES2 with SHA-256 and AES-256$$$Added export button in private key view dialog (contributed by Jairo Graterón)$$$Added verify button in the CSR view dialog to check its signature$$$Added start of certificate validity as additional optional column for main table view (contributed by Björn Michael)$$$Improved certificate key usage and EKU dialogs by adding tooltips with additional details (contributed by The-Lum):$$$For the key usage extension the number of the bit (for example 0 for digitalSignature)$$$For extended key usage the OID of the key usage$$$Enlarged default size of ASN.1 dump window; hex dumps are now displayed in two columns of 8 bytes instead of one (contributed by The-Lum)$$$Added total number of revoked certs to CRL view$$$Added length info to OCTETSTRING and BITSTRING in ASN1 viewer$$$HTTP redirects for downloads of CRLs and CRTs are now supported (contributed by Jairo Graterón)$$$Made several adjustments to file extensions used as filters in file chooser dialogs and as default extensions for export files. The reasons were to adapt to existing official standards and also to avoid conflicts with other file types (thanks to Sergey Ponomarev for his investigations):$$$Changed default file extension for private key export as DER-encoded PKCS#8 from .pkcs8 to .p8 as this extension was registered with IANA (contributed by Sergey Ponomarev)$$$Changed default file extension for private key export as DER-encoded PKCS#1/ECPrivateKey from .key to .privkey (.key is used for PGP/GPG files and also for Keynote presentations and there seems to be no official file extension for these formats)$$$Changed default file extension for public key export as DER-encoded RFC 5280 SubjectPublicKeyInfo from .pub to .pubkey (.pub is used for MS Publisher files)$$$Changed default file extension for PEM-encoded files to .pem (usually in combination with a prefix for the actual content like .p8.pem or .pubkey.pem)$$$Added .p8; .p8e and .pk8 as file extension filters for selecting / importing PKCS#8 files (contributed by Sergey Ponomarev)$$$Added .pem as file extension filter to all file chooser dialogs that could possibly open PEM files$$$Changed dialogs for key pair generation and signing CSRs to display serial number as hex string$$$Improved certificate chain detection$$$Adjusted password quality meter to show more realistic results$$$Replaced IdenTrusts TSA with QuoVadis$$$Improved handling of invalid PEM files$$$The certificates selection dialog is now resizable$$$Fixed typo in tooltips for public key fingerprint$$$Improved French translation (by The-Lum)$$$Improved German translation$$$Updated third-party libraries to latest versions; BC is now at version 1.77$$$Bug Fixes$$$Fixed handling of GeneralName/OtherName/UPN (reported by Björn Michael)$$$Fixed handling of explicitly specified EC curve parameters (reported by Arnieh)$$$Fixed calende