CryptoSys PKI Toolkit

The CryptoSys PKI Toolkit provides you with an interface to public key cryptography functions from Visual Basic, VB6, VBA, VB.NET, VB2005/8/x, C/C++ and C# programs on any modern Windows system (W8/W7/2008/Vista/2003/XP/2K/NT4/Me/W9x).

Read the Manual | Features | BUY NOW | Download Trial | Examples

Licensed Users | Feedback | Support | Documentation | FAQ | Programming | SAT Mexico | FirmaSAT | German Health Service | Chile SII | Portugal DGCI | .NET Interface | Other Interfaces | Known Issues | Error Codes | Integrity | Contact | Search

You can create and read both enveloped-data (encrypted) and signed-data Cryptographic Message Syntax (CMS, PKCS#7) objects, which you can use in S/MIME email messages; verify the digital signature in a signed-data CMS object; generate and manage RSA public and private keys; carry out "raw" RSA encryption and digital signing, make PKCS#10 certificate request files, and create and manage X.509 certificate files.

See how the CryptoSys PKI Toolkit compared in the CMS (RFC 3852) Implementation Report [PDF (98 kB)] back in 2009 (we're implementation #3).

Other utilities included in the toolkit are the ability to generate message digest hash values using SHA-1/224/256/384/512 and MD5; generate HMAC keyed-hash message authentication values, wipe files using 7-pass DOD standards, generate cryptographically-secure random numbers to the strict NIST SP800-90 standard†, prompt for a password, and convert to and from base64- and hexadecimal-encoded formats. There is a 64-bit version included - see Using on a 64-bit system. If you just need standard symmetrical cryptography, see our alternative product CryptoSys API.

Earlier visits
Latest stuff:
2014-09-09: Complete update of German Health Service page to reflect 2014 V3.0 changes.
2014-09-02: New New version 3.10 of CryptoSys PKI released.
2013-09-04: Update and new code for XML-Dsig and the Chile SII.
2012-10-01: How to create a SAT Cancelacion document using the CryptoSys PKI Toolkit
2012-09-20: How to generate a UUID compliant with RFC 4122
2012-05-09: Signing an XML document using XMLDSIG (Part 2)
2010-12-04: Accented characters and UTF-8 in XML-DSIG signatures.
2010-11-25: Update on Portugal DGCI Billing Software Certification.
2010-06-30: PKI Examples VB6 to VB.NET.
2010-03-17: Using Delphi with CryptoSys PKI
2010-06-25: Writing an interface in another programming language.
2009-09-04: Complete update to SAT Mexico page.


Note 2013-09-21: Our implementation does not use the Dual EC_DRBG component of NIST 800-90 that potentially contains an NSA backdoor. CryptoSys PKI does not use OpenSSL in any form.

CryptoSys PKI uses a straightforward Win32 DLL which is compatible with all modern versions of Windows (W8/W7/2008/Vista/2003/XP/2K/NT4/Me/W9x). There is no "COM", no "Active-X", and no requirement to "register" it with Windows to use it. The installed executable has a small footprint of about 500 kB. Developers can easily distribute it with their projects made in Visual Basic, VBA, C, C++, VB.NET/VB2005+ or C# (in fact, in any other programming language that will let you call Win32 API functions including Delphi - see Extra Interfaces). A separate compilation for 64-bit systems is also included.

For more information on how the RSA key data is stored and how the various functions work together, see RSA Key Formats. For some examples, see the Examples section below. For the theory and more detailed explanations of how RSA is used in practical applications, see RSA algorithm including its use in creating ISO/IEC 9796 signatures in the AUTACK scheme.

Note that the CryptoSys PKI Toolkit is totally independent from our original CryptoSys API product. The two packages do different things and do not require the other in order to work: see a Comparison of CryptoSys Features for a summary.

Feedback on the CryptoSys PKI Toolkit

“ First of All, GREAT PRODUCT your CryptoSys PKI Toolkit. Really, Congratulation on this Great Product, I really liked it. ”

“ I just got my licensed version and try succesfully to distribute my PKI based application on my alternate notebook : it took me a few seconds and it works fine. I spent in the past a lot of time trying to find a so easy to use software for cryptographic actions. Thanks again ! ”
  -Luc B.

“ Great product - just what I was looking for - bought a copy this morning. ”
  -Raymond S.

“ It seems to be a very good and powerful toolkit ”
  -Bernd R.

“ Thank you very much for the quick and detailed answer. It helped me a lot and now my program works pretty good, I have signed and encrypted my data successfully. ”
  -Dimitris M.

“ I wanted to let you know we [purchased] CryptoSys Software to include in an ERP project we are working on in Mexico. I had tried other digital signature products that required the certificate (with private) key first be stored in the Win certificate store and then I wasn't getting the correct signature. So, I guess there is something special about how you are using the .key file that is provided by SAT Mexico. I am very glad I came across your product. Thank you ”
  - Herman K.

“ Last Tuesday I have completed the certification process in the DGCI. Everything is as they intend. So CryptoSys PKI can "attack" the Portuguese market. :-) ”
  - António


There are two manuals available: one main manual and a supplementary one for .NET users. See the CryptoSys PKI Manual page.


Download the latest Trial Edition of the CryptoSys PKI Toolkit now. Use either

Unzip the zip file and run the setup.exe program inside it, or download the exe program directly and run it.

Please note it is a breach of copyright to put a copy of these installation files on another server or to distribute them in any manner except by providing a link to this page.

The Trial Edition is fully-functional and the download includes the full set of manuals and test functions in Visual Basic (VB6/VBA), VB.NET, C and C#. Please read the licence conditions for the Trial Edition. The latest version 3.10.1 is dated 23 September 2014. The trial period is 60 days from the date first installed on your system.

Is there a virus in these? Some of the more paranoid anti-virus checkers (notably AntiVir) sometimes show that these downloads contain a "Generic trojan-dropper". This is a false positive. The files are clean. You can upload the files individually to the AV vendors' sites and they will be shown as clean.

Please note that all the above files are digitally signed with our signing certificate under the name of D.I. Management Services Pty Limited. You can check the integrity of your DLLs here.

You need to have administrator rights when installing and uninstalling.

You can purchase a licenced version here. Existing licence holders can download the latest Developer Version here.


There is an example of each function in the manual and a series of tests in VB6/VBA, VB.NET/VB2005, C/C++ and C# provided with the installation download. These test programs should be in C:\Program Files\CryptoSysPKI, or C:\Program Files (x86)\CryptoSysPKI on a 64-bit machine.

See the PKI Examples Page for more details and more examples.

We get lots of queries asking how to use the RSA_Raw functions to do simple RSA encryption and signing. See Raw RSA Techniques for a guide to methods available in the latest version, including the EncodeMsg and DecodeMsg functions. If you want more detailed information about the different formats in which RSA keys can be stored, how the keys are used to create X.509 certificates, and all the different functions in the Toolkit that create, read and save the key data, you may find the information in RSA Key Formats useful. See also Importing an RSA key from known parameters.

Mexican Government SAT

The CryptoSys PKI Toolkit includes full support for the private key files published by the Servicio de Administración Tributaria in Mexico. See SAT Mexico Example for some sample code. New 2011-12-29 New improved version 5 of FirmaSAT utility to create digital signatures in SAT versions 2.0 and 3.0 format (and now versions 2.2 and 3.2) and more now available. See FirmaSAT.

Security interface for the German health care insurances services

Updated 2014-09-09 2014-09-09: The CryptoSys PKI Toolkit should comply with the requirements of the security interface for data exchange for the German health service version 3.0. See Data Exchange in the German Health Service with CryptoSys PKI.

“ CryptoSys PKI Toolkit erfüllt alle Voraussetzungen, die notwendig sind, gemäß der Security Schnittstelle für den Datenaustausch im Gesundheitswesen Version 1.5, um mit den Datenannahmestellen der gesetzlichen Krankenkassen und dem ITSG-Trustcenter zu kommunizieren. Anders als bei DAKOTA stehen hier alle notwendigen Prozeduren in einer einzigen DLL zur Verfügung. Für das Erstellen der Zertifizierungsanfrage, dem Einlesen der Zertifizierungsantwort, dem Signieren / Verschlüsseln der Nachricht und der Speicherung der Daten (Zertifikate, privater Schlüssel, Annahme-pkcs.key) sind Beispiele in VB vorhanden. Sowohl der Zertifikatsantrag (PKCS#10 Format) beim ITSG-Trustcenter als auch die Datenübermittlung (PKCS#7 Format) an AOK, IKK, BKK, LKK, Knappschaft wurden erfolgreich durchgeführt. CryptoSys PKI Toolkit wird im Leistungserbringerverfahren und im Arbeitgeberverfahren erfolgreich eingesetzt. ”
“ Just to update you, after last changes, now everything is going on like a music. ”

XML-Dsig and the Chile SII

On the XML-Dsig and the Chile SII page we look at creating digital signatures in XML documents (XML-Dsig) using the standards for electronic invoices set by the Servicio de Impuestos Internos (SII) of Chile ("Internal Revenue Service"). We show how you could use our CryptoSys PKI Toolkit to do the cryptographic operations to sign, read and verify the necessary files, and we give some hints on how to do the [expletive deleted] canonicalization.

Portugal DGCI Billing Software Certification

On the Portugal DGCI Billing Software Certification page we look at the new Billing Software Certification (Certificação de Software Facturação) scheme introduced by the Portugal General Directorate of Taxes (Direcção Geral dos Impostos) (DGCI) in June 2010. We point out the problems that are guaranteed to arise in using the OpenSLL software in the manner suggested, as well as apparent errors in the test vectors provided.

We provide some code using our CryptoSys PKI Toolkit that analyzes the test vectors given in the technical specification and create and verify signatures in the format as specified. There is some more code that shows how you could create your own RSA keys and create a self-signed X.509 certificate from them.

Interfaces to other programming languages

See Writing an interface in another programming language for advice and examples in how to use CryptoSys PKI with other programming languages, including Visual FoxPro and PowerBuilder.

For Delphi, see the page Using Delphi with CryptoSys API, CryptoSys PKI for more details and some sample code.


Check the integrity of your PKI software against our published checksums and message digests.

New or Updated in the latest versions

Version 3.10.1:

(23 September 2014)

Version 3.10.0:

(2 September 2014)

Versions 3.9.1 to 3.9.4:

(4 October 2012 to 9 October 2013)

Version 3.9:

(8 September 2012)

Version 3.8:

(14 January 2012)

† This change is to help users of certain brain-dead web service in Mexico that apparently cannot cope with anything else. Thanks to Adrián Galván for pointing this out to us.

Version 3.7:

(1 July 2011)

Version 3.6:

(23 August 2010)

Version 3.5:

(2 May 2010)

Version 3.4:

(19 December 2009)

Version 3.3:

(21 February 2009)

Version 3.2:

(2 February 2008)

Version 3.1:

(2 August 2007)

Version 3.0:

(27 March 2007)

Thanks to all users who have suggested improvements and in particular to Bernd Rech for his suggestions, advice and help.


For more information, please send us a message.

This page last updated 19 November 2014