CodeMeter Certificate Vault


Certificates are the IT world’s way of identifying individuals and devices. The person or device in question has to possess a key pair with a secret private key. A central entity (the CA or certificate authority) confirms that the corresponding public key belongs to that person or device. It does so by using a certificate: To authenticate the identity, a cryptographic operation is conducted with the private key and verified with the public key. Additionally, the validity of the certificate itself is checked.

The strong security offered by certificates is immediately apparent when comparing them to passwords. Passwords can be revealed accidentally or shared intentionally by the user. Also, hackers can get access to a password by means of a phishing attack. CodeMeter Certificate Vault holds the keys securely inside the smart card chip embedded in CmDongles, so they cannot be retrieved and copied. While passwords are used time and time again, in the case of certificates, a new cryptographic operation is performed each time a private key is used.

CodeMeter Certificate Vault works as a PKCS#11 compliant token provider, integrating with the Microsoft Cryptographic API Next Generation (CNG) as a Key Storage Provider (KSP), and working with OpenSSL API e.g. to keep and use the keys for TLS certificates. It is fully integrated with many essential applications including browsers, VPNs, and email clients. The keys kept in CmDongles can neither be read nor otherwise accessed, protecting them from all duplication or tampering attempts.

Compared to the typical user convenience of passwords, implementing certificates is a highly intricate process that makes certificates an unpopular choice in many cases. However, an integration in CodeMeter License Central simplifies the creation and rollout of certificates, making them more amenable to widespread use.


All applications using the following interfaces

  • PKCS#11
  • Microsoft KSP
  • OpenSSL

are compatible with CodeMeter Certificate Vault.

These include for instance:

  • Email clients like Microsoft Outlook and Mozilla Thunderbird
  • Web browsers like Google Chrome, Mozilla Firefox, and Microsoft Explorer
  • VPN systems like OpenVPN and OpenConnect
  • Document signature applications like Adobe Acrobat and OpenOffice


Via OpenSSL, CodeMeter Certificate Vault is also ready for integration with other applications such as an OPC UA server.

OPC UA is used in M2M communication as a standard protocol to facilitate the sharing of data between controllers made by different producers. Private keys and certificates are required to identify each device and establish a secure channel for communication. The keys in particular, but also the related certificates, can be safely stored and kept on CmDongles.

Through the support of OpenSSL, CodeMeter can be universally integrated with all OPC UA stacks, irrespective of the specific provider of the stack.


CodeMeter Certificate Vault Version 1.8 supports this initial set of functions:

  • Importing keys and certificates via a WibuCmRaU file
  • Using keys
  • Reading certificates


CodeMeter Certificate Vault Version 1.8 works with 1024 and 2048-bit RSA.

Runtime Components

For greater versatility in the field, CodeMeter Certificate Vault supports both CodeMeter Runtime for desktop systems and CodeMeter Embedded for embedded devices.

CodeMeter Container

CodeMeter Certificate Vault Version 1.8 works with the most secure type of container: a CmDongle. The keys are stored securely in the integrated smart card chip, where they are shielded from all prying eyes, whereas the certificates remain in the readable part of the CmContainer.

CodeMeter License Central Integration

CodeMeter License Central is the solution for creating, managing, and assigning licenses, digital rights, and keys. Extensions are used to create and distribute certificates.

For a simpler process, the key pair is created in CodeMeter License Central and bound to a dedicated CmContainer (1). As soon as a request with the ID of this CmContainer is sent to CodeMeter License Central (2), key and certificate are packed into a WibuCmRaU file and returned to the user (4). The file is encrypted with a key of the client’s CmContainer and can only be imported and decrypted in that CmContainer. This makes it far easier to roll out and distribute certificates by simply pushing them into the known and secure CmContainer.

SOAP can be used to integrate the certificate creation process with existing CA solutions (3).

Interested in a personalized offer for our CodeMeter technology? Just answer a few questions and our team will get back to you with all the information you need.


To top