Page tree

Page Contents

Jump to...

Exostar Key Management Agent™ (KMA)

Exostar offers various types of authenticators to access services including Managed Access Gateway (MAG).  Some of the authenticators are as follows:

  • USB PKI hardware tokens (i.e. Medium Level of Assurance MLOA hardware)
  • Software or Disk-based PKI Identity
  • Email certificate (i.e. Basic Level of Assurance BLOA software)
  • OTP hardware tokens and mobile application (i.e. phone-based OTP authenticators)

Exostar is changing the way PKI certificates are downloaded and installed on to USB PKI hardware tokens after MAG 7.2 release.  These changes only apply to the download and install of USB PKI hardware tokens and the use of USB PKI hardware tokens for users with an Enterprise Proofer role.  This change does not impact:

  • The day-to-day use of certificates (for example, to authenticate to MAG)
  • Other tokens including BLOA software, OTP hardware tokens or mobile applications

Users will need to use the Exostar Key Management Agent (KMA) to download and install certificates on to USB PKI hardware tokens (i.e. MLOA hardware).  For Software or Disk-based PKI Identity and Email certificates there is no need to install and use the KMA.

To self-check KMA™ click here. 

What is Exostar Key Management Agent (KMA)?

KMA is a Java based application developed by Exostar.  KMA replaces ActiveX as your tool for downloading digital certificates on your hardware token. 

NOTE:  KMA cannot be downloaded using Internet Explorer. 

Who should install KMA?

You will need to download and install KMA if you are:

  • A MAG user downloading digital certificates for hardware token for the first time
  • A MAG user renewing digital certificates for hardware token
  • An Enterprise Proofer
Level of AssuranceRequirements

Basic Level of Assurance (BLOA) Software 

BLOA SecureEmail Software

• Does not require in-person identity check (no proofing required)

• User does not have to download KMA™

• Identity certificates are stored on the user’s computer

Medium Level of Assurance (MLOA) Software

• In-person proofing required

• User does not have to download KMA™

• All 3 certificates (signature, identity and encryption) are installed on the user’s computer

Medium Level of Assurance (MLOA) Hardware

• In-person proofing required

• User has to download KMA™ but can use any modern browser

• All 3 certificates (signature, identity and encryption) are installed onto a USB token

I’ve already downloaded my hardware certificates, do I need KMA?

No, this change does not affect existing users who have already downloaded their digital certificates.

I have to renew my digital certificates for hardware token, do I need KMA?

Yes, you will need to install KMA before you can renew your certificates.

I use software certificates, do I need KMA?

No, software certificates do not need to download KMA

How do I self-check KMA™?

The self-test page will allow users to check their environment.  It helps users to understand and perform the steps to download and install KMA™ on their own computers.  It will also perform some nominal checks to ensure KMA™ is working properly.  To self-check KMA™, please visit

How do I install KMA?

The KMA application is packaged in a Microsoft Installer (MSI) which will guide you through the setup process.  Click here to learn how to install KMAKMA Quick Guide

Install KMA

To download and install KMA, click here.

To download and install Corporate KMA, click here.

KMA VersionDetails
KMA Desktop

KMA Desktop: ExostarKeyManagementAgentDesktop-1.0.66.msi

MD5: b9618dece33c923f361b21234454f3da

SHA2: f8d1bf823e41b6fafe5851f6d6f5fbdbe6083e58e0be94876670962832cac916

KMA Corporate


MD5: 7ac2858a635c9fd249bbb85a011810fc

SHA2: 502f515140f81220ebb7dde0d493db8f1b406bc3740ff850e9087b2bb7882d77

Is my system compatible with KMA?

The following operating systems and browsers are compatible with KMA:





MS Edge




Windows 10YesYesYes
Windows 8.1YesYesYes

*If you use Firefox to download KMA for software certificates, the certificates will be imported into OS key store.  Users will have to manually import the certificates into Firefox for 2FA into MAG.

Please note KMA cannot be downloaded using Internet Explorer (IE).

Downloadable Guides

FIS Product Guide: Full user guide on FIS product and how to download certificates. 

KMA Quick Guide: Quick guide on how to install KMA

KMA Release Notes

To view the release notes click here.

Common Issues / FAQs

We encourage our users to check if any of the errors you are seeing is listed below before reaching to Exostar Customer Support.

Issue 1: I am trying to download the certificates and receive an error message:

Error displays when you attempt to download digital certificates and the KMA™ is not downloaded.  Try and download KMA, if you are unable to download KMA reach out to your system administrators to understand the policy for downloads.

Issue 2: Is  KMA™ software vulnerable to log4j issue CVE-2021-44228?

No, KMA™ version 1.0.66 uses log4j v2.17.1 hence it is not vulnerable to above mentioned CVE. Make sure you are running latest version on KMA software.

How useful was this content?

Your Rating: Results: 1 Star 2 Star 3 Star 4 Star 5 Star 20 rates