MS-CAPI Bridge for Mozilla NSS

Keyon / MS-CAPI Bridge for Mozilla NSS (Network Security Services) is a Dynamic Link Library (DLL), which provides access to the credentials in the Microsoft Certificate Store over virtual tokens using the PKCS#11 (Cryptoki) API (application programming interface).

Applications such as Microsoft Firefox can thus use certificates and keys available in the Microsoft Certificate Store and the Microsoft CryptoAPI.

Key Features

  • Provides access to keys and certificates in the user's certificate store (MY) for client authentication and secure mail.
  • Support RSA keys managed by the standard Crypto API (CAPI) and the Crypto API
    Next Generation (CNG).
  • Supports both soft tokens and Smart Cards. As long as the key is available over the
    Microsoft CryptoAPI, it can be used from Mozilla NSS based applications. To support
    a Smart Card, only a cryptographic service provider for Windows is necessary.
  • If a PIN is required to use a credential, the PIN entry dialog from the Microsoft
    CryptoAPI is used.
  • Supports SSO if the underlying Smart Card in the CryptoAPI supports it.
  • Certificates are added and removed from the virtual token as soon as they are
    added or removed in the Microsoft Certificate Store. There is no need to restart the
    application if new certificates become available.
  • Access to credentials in the Microsoft Certificate Store is read only, i.e. it is not
    possible to accidentally delete certificates or keys e.g. in Mozilla Firefox.
  • Provides access to certificates in the user’s trust store (Root, CA and
    TrustedPublishers) allowing easy deployment of trusted CAs using the group policy.


Smart card and Token integration to Java

JACAPI - Use certificates from Microsoft Windows in Java

While Microsoft provides with the CAPI on Windows a standard interface for cryptographic operations, Java brings, due to platform independency, its own solution. Keyon combines with the token framework different standards and provides a simple and cost-effective integration of Microsoft-specific security functions as well as hardware tokens into your infrastructure.


Under Microsoft Windows, CAPI is the standard interface for all cryptographic functions. Standard applications are built on this API such as Internet Explorer or Outlook. With the JACAPI Provider by Keyon, Java applications can, for the first time, access user specific X.509 certificates on Windows. Java applications can make use of Microsoft Windows features such as single sign-on (SSO).



JAP11 - PKCS#11 access for Java applications

PKCS#11 is a standardized interface for cryptographic operations on hardware tokens (smart cards, USB tokens, HSM) and is provided by most manufacturers as native library for various platforms. With Keyon’s JAP11 Provider, all PKCS#11 compatible hardware token can be used simply and transparently in Java applications.


JAPROX - Intelligent mapping of keys to JCE providers

The concurrent support of software and hardware token in Java involves various problems. Individual JCE providers support only software token, others only hardware token. JAPROX provides transparent parallel operation of software and hardware token in Java application without adjustment of the corresponding source code.