To top
Products Products

CodeMeter Certificate Vault


Certificates are the IT world’s way of identifying individuals and devices. The person or device in question has to possess a key pair with a secret private key. A central entity (the CA or certificate authority) confirms that the corresponding public key belongs to that person or device. It does so by using a certificate: To authenticate the identity, a cryptographic operation is conducted with the private key and verified with the public key. Additionally, the validity of the certificate itself is checked.

The strong security offered by certificates is immediately apparent when comparing them to passwords. Passwords can be revealed accidentally or shared intentionally by the user. Also, hackers can get access to a password by means of a phishing attack. CodeMeter Certificate Vault holds the keys securely inside the smart card chip embedded in CmDongles, so they cannot be retrieved and copied. While passwords are used time and time again, in the case of certificates, a new cryptographic operation is performed each time a private key is used.

CodeMeter Certificate Vault works as a PKCS#11 compliant token provider, integrating with the Microsoft Cryptographic API Next Generation (CNG) as a Key Storage Provider (KSP), and working with OpenSSL API e.g. to keep and use the keys for TLS certificates. It is fully integrated with many essential applications including browsers, VPNs, and email. The keys kept in CmDongles can neither be read nor otherwise accessed, protecting them from all duplication or tampering attempts.

Compared to the typical user convenience of passwords, implementing certificates is a highly intricate process that makes certificates an unpopular choice in many cases. However, an integration in CodeMeter License Central simplifies the creation and rollout of certificates, making them more amenable to widespread use.


All applications using the following interfaces

  • PKCS#11
  • Microsoft KSP
  • OpenSSL

are compatible with CodeMeter Certificate Vault.

These include for instance:

  • Email clients like Microsoft Outlook and Mozilla Thunderbird
  • Web browsers like Google Chrome, Mozilla Firefox, and Microsoft Explorer
  • VPN systems like OpenVPN and OpenConnect
  • Document signature applications like Adobe Acrobat and OpenOffice

Via OpenSSL, CodeMeter Certificate Vault is also ready for integration with other applications such as an OPC UA server.


CodeMeter Certificate Vault Version 1.0 supports this initial set of functions:

  • Importing keys and certificates via a WibuCmRaU file
  • Using keys
  • Reading certificates


CodeMeter Certificate Vault Version 1.0 works with 1024 and 2048-bit RSA.

Runtime Components

For greater versatility in the field, CodeMeter Certificate Vault supports both CodeMeter Runtime for desktop systems and CodeMeter Embedded for embedded devices.

CodeMeter Container

CodeMeter Certificate Vault Version 1.0 works with the most secure type of container: a CmDongle. The keys are stored securely in the integrated smart card chip, where they are shielded from all prying eyes, whereas the certificates remain in the readable part of the CmContainer.

CodeMeter License Central Integration

CodeMeter License Central is the solution for creating, managing, and assigning licenses, digital rights, and keys. Extensions are used to create and distribute certificates.

For a simpler process, the key pair is created in CodeMeter License Central itself. The key and certificate are then packaged up by CodeMeter License Central in a special WibuCmRaU file for the client. The file is encrypted with a key of the client’s CmContainer and can only be imported and decrypted in that container. This makes it far easier to roll out and distribute certificates by simply pushing them into the known and secure CmContainer.

SOAP can be used to integrate the certificate creation process with existing CA solutions.