Add PKI-based functionality to client and server applications

  • Supported Platforms

  • .NET.NET

    Pure managed and integrated components, carefully optimized to achieve maximum performance comparable to native processor code. The .NET edition can be used on .NET and Mono server and desktop platforms, in ASP.NET and Silverlight applications, and on mobile devices.

  • .NETJava

    Highly integrated Java security library including numerous classes to enable support for a wide range of application-level protocols, security algorithms, and standards. You can use Java security libraries to develop software for desktop and server platforms, mobile devices, and Web applications.

  • .NETC++

    A shared library (.dll on Windows and .so on Linux / macOS) and set of C++ classes. Used in C++ applications for Windows, Linux, macOS, and iOS platforms. Supported compilers include Visual C++, MinGW, gcc, and Xcode.


    Highly integrated and blazingly fast native Delphi (Pascal) components for building native Windows, Linux, and macOS applications. All components are native Delphi, have no third-party binaries or references, and no reliance on Windows CryptoAPI. Also includes Delphi components for building Android and iOS apps.


    Integrated components for PHP scripts running on Linux and Windows servers.


Use PKIBlackbox to add PKI-based functionality such as X.509 certificate management, data processing (signing, encryption, and timestamping), and signing of executable modules to your applications. Also build server-side functions for timestamping and online certificate status validation.

Support for One-Time Passwords

Both HOTP and TOTP are supported in client and server applications.

Support for Cryptographic Hardware

Use hardware such as cryptocards and USB tokens compliant to the PKCS#11 interface in your PKI operations.

X.509 Support

X.509 certificates are used for signing and decryption of any information (PKCS#7 and CMS standards).

Long-term Signatures

PKIBlackbox can create long-term signatures with timestamping to the data (CAdES standard).

JSON-based Cryptography

JSON-based cryptography (JSON Web Keys, tokens, signing, and encryption) is supported for both desktop and Web applications.

Code Signing

Sign and timestamp your executables and libraries in PE format using MS Authenticodeā„¢ technology and verify the signatures.

Basic functions of PKIBlackbox are included in all packages of SecureBlackbox. Advanced functions, namely PKCS#11 interface, TSP and OCSP servers, Authenticode, X.509 certificate generation, CRL signing, and CMS and CAdES signing and encryption of data, One-Time Passwords, and ECIES encryption require a license for PKIBlackbox (included in the Standard and Professional packages).

Full Feature List

Base Cryptography

  • RSA and DSA asymmetric cryptography operations
  • Symmetric encryption using AES256, AES128, RC2, RC4, DES, 3DES, Camellia, Blowfish, Twofish, IDEA, Serpent, SEED, Rabbit, GOST, and CAST128
  • Hash calculation using SHA3, SHA2 (SHA512, SHA384, SHA256, SHA224), SHA1, MD5, MD4, MD2, RIPEMD160, GOST, and BLAKE2 algorithms
  • PBKDF2, BCrypt, SCrypt key derivation (adaptive hash functions)
  • Elliptic Curve Cryptography ( X9.62, SEC2, CryptoPro, Brainpool, and Cure25519 curve groups are supported )


PKIBlackbox helps you create and use of Certificate Requests in PKCS#10 and CMC (Certificate Management over CMS) formats. Specifically, the following operations are supported.

  • Handling of asymmetric keys from 512 to 16384 bits long
  • Support for RSA, DSA and DH keys
  • Support for Elliptic Curve Cryptography (ECC) - ECDSA keys
  • Support for both standard (predefined) and custom certificate extensions (as defined by X.509 v3)
  • Saving and loading of X.509 certificates in DER, PEM (base64-encoded DER), PKCS#7, PKCS#8, PKCS#12 (PFX), and JKS (Java KeyStore) formats
  • Saving and loading of private keys in DER, PEM (base64-encoded DER), PKCS#12 (PFX), PVK, and JKS (Java KeyStore) formats
  • Creation (generate, sign, issue) of self-signed and CA-signed certificates (PKIBlackbox license is required)
  • Validation of certificate integrity
  • Complete validation of certificate chains including use of OCSP and CRLs
  • (optional) FIPS-compliant operation mode

Certificate Requests

PKIBlackbox supports creation and use of Certificate Requests in PKCS#10 and CMC (Certificate Management over CMS) formats. Specifically, the following operations are supported.

  • Generation of certificate requests and corresponding private keys
  • Saving and loading of certificate requests in DER and PEM (base64-encoded DER) formats
  • Saving and loading of private keys in DER, PEM (base64-encoded DER), and PVK formats
  • Creation (generate, sign, issue) of certificates from certificate requests

Certificate Revocation Lists

PKIBlackbox supports operations with Certificate Revocation Lists (CRL) according to RFC 3280.

  • Creation and modification of CRLs
  • Support for CRL extensions and CRL Item extensions
  • Saving and loading of CRLs in DER and PEM (base64-encoded DER) formats
  • Checking of certificate presence in CRL
  • In addition to CRLs, SecureBlackbox lets you check certificate status in real-time using OCSP (Online Certificate Status Protocol, RFC 2560, and RFC 6960)

Certificate Storage

  • Support for in-memory, file-based, and system (Windows CryptoAPI) certificate storages
  • Support for LDAP certificate storages (with help of LDAPBlackbox package)
  • Powerful search by various criteria, including issuer, subject, dates, e-mails, and more
  • Saving and loading of storages in PKCS#7, PKCS#12 (PFX), and JKS (Java Key Storage) formats
  • Validation of certificates against certificates contained in the storage
  • Multithreaded access to certificate storages
  • For Windows Certificate Storage - access to per-user and system-wide storages
  • For Windows Certificate Storage - access to system, registry, in-memory, and LDAP storages

Cryptographic hardware support

  • Authentication using FIDO U2F tokens (add U2F authentication support to your servers, implement U2F soft-tokens, work with existing U2F tokens)
  • Full scope of operations with Cryptocards and USB Crypto Tokens via PKCS#11 interface (all operating systems)
  • Access and use of certificates, stored on Cryptocards and USB Crypto Tokens, via CryptoAPI (Windows only)
  • Operations with PIV smartcards via PC-SC interface on Windows, Linux, macOS

Data Encryption and Signing

  • Encryption and decryption according to PKCS#7 and CMS specification (RFC 3852)
  • Cryptographic signing and signature verification according to PKCS#7 and CMS specification (RFC 3852)
  • Timestamping and timestamp verification on signed data to ensure long-term validity of signatures
  • Implementation of CAdES specification
  • Support for ASiC (Associated Signature Container) format
  • Possibility to sign the data in distributed mode lets you build client-server document management systems with secure signing of documents
  • Data encryption and decryption using RSA certificates and AES (128 to 256 bit), Triple DES (3DES), ARCFOUR, RC2, and DES algorithms
  • ECIES (Elliptic Curve Integrated Encryption Scheme) encryption
  • Data signing and verification using ECDSA (ECC-based), RSA and DSA certificates and HMAC, SHA512, SHA384, SHA256, SHA1, MD5, and MD2 algorithms.
  • Implementation of CAdES specification with automatic collection of timestamps and revocation information (RFC 5126)
  • Support for all CAdES profiles: CAdES-BES, CAdES-EPES, CAdES-C, CAdES-T, CAdES-X, CAdES-XL, and CAdES-A
  • Timestamping and timestamp verification on signed data to ensure long-term validity of signatures

JSON Web Keys

The following Web Keys standards and functions are supported

  • JSON Web Signature (RFC 7515)
  • JSON Web Encryption (RFC 7516)
  • JSON Web Key (RFC 7517)
  • JSON Web Token (RFC 7519)


  • timestamping and timestamp verification using TSP (Timestamp Protocol, RFC 3161). Both TSP client and TSP server are available
  • Timestamping (both client and server sides) of PE files (Authenticode, Microsoft's PKCS#7 based standard for signing EXE and DLL files)
  • RFC 5544 timestamping of generic data (no signing required)