X Certificate and Key Management

This application is intended for creating and managing X.509 certificates, certificate requests, RSA, DSA and EC private keys, Smartcards and CRLs.
Everything that is needed for a CA is implemented.
All CAs can sign sub-CAs recursively. These certificate chains are shown clearly.
For an easy company-wide use there are customiseable templates that can be used for certificate or request generation.

All cryptographic data is stored in a SQL database. Supported are

  • SQLite (Single file)
  • MySQL (MariaDB)
  • PostgreSQL
  • Microsoft SQL-Server (via ODBC)

If you want to link to XCA, please use

Please use GitHub issues for bugs and questions.


  • Start your own PKI and create all kinds of private keys, certificates, requests or CRLs
  • Import and export them in any format like PEM, DER, PKCS#7, PKCS#12
  • Use them for your IPsec, OpenVPN, TLS or any other certificate based setup
  • Manage your Smart-Cards via PKCS#11 interface
  • Export certificates and requests as OpenSSL config file
  • Create Subject- and/or Extension- templates to ease issuing similar certs
  • Convert existing certificates or requests to templates
  • Get the broad support of x509v3 extensions as flexible as OpenSSL but user friendlier
  • Adapt the columns to have your important information at a glance


  • PKCS#1 unencrypted RSA key storage format.
  • PKCS#7 Collection of public certificates.
  • PKCS#8 Encrypted private key format for RSA DSA EC keys.
  • PKCS#10 Certificate signing request.
  • PKCS#11¬† Security token / Smart card / HSM access.
  • PKCS#12 Certificate, Private key and probably a CA chain.

File formats

  • DER Distinguished Encoding Rules - Binary format
  • PEM Privacy Enhanced Mail - Text format
  • SSH2 Public key


  • Templates for common subjects and extensions.
  • All subject entries, x509v3 extensions, and other properties can be displayed in separate columns.
  • Customizable subject entries
  • Drag & Drop support
  • Many certificate setting sanity checks
  • Easy association and transformation between keys, certificates and requests