Page tree

Exostar Key Management Agent™ (KMA)

Exostar offers various types of authenticators to access services including Managed Access Gateway (MAG).  Some of the authenticators are as follows:

  • USB PKI hardware tokens (i.e. Medium Level of Assurance MLOA hardware)
  • Software or Disk-based PKI Identity
  • Email certificate (i.e. Basic Level of Assurance BLOA software)
  • OTP hardware tokens and mobile application (i.e. phone-based OTP authenticators)

Exostar is changing the way PKI certificates are downloaded and installed on to USB PKI hardware tokens after MAG 7.2 release.  These changes only apply to the download and install of USB PKI hardware tokens and the use of USB PKI hardware tokens for users with an Enterprise Proofer role.  This change does not impact:

  • The day-to-day use of certificates (for example, to authenticate to MAG)
  • Other tokens including BLOA software, OTP hardware tokens or mobile applications

Users will need to use the Exostar Key Management Agent (KMA) to download and install certificates on to USB PKI hardware tokens (i.e. MLOA hardware).  For Software or Disk-based PKI Identity and Email certificates there is no need to install and use the KMA.

To self-check KMA™ click here

What is Exostar Key Management Agent (KMA)?

KMA is a Java based application developed by Exostar.  KMA replaces ActiveX as your tool for downloading digital certificates on your hardware token. 

NOTE:  KMA cannot be downloaded using Internet Explorer. 

Who should install KMA?

You will need to download and install KMA if you are:

  • A MAG user downloading digital certificates for hardware token for the first time
  • A MAG user renewing digital certificates for hardware token
  • An Enterprise Proofer
Level of AssuranceRequirements

Basic Level of Assurance (BLOA) Software 

BLOA SecureEmail Software

• Does not require in-person identity check (no proofing required)

• User does not have to download KMA™

• Identity certificates are stored on the user’s computer

Medium Level of Assurance (MLOA) Software

• In-person proofing required

• User does not have to download KMA™

• All 3 certificates (signature, identity and encryption) are installed on the user’s computer

Medium Level of Assurance (MLOA) Hardware

• In-person proofing required

• User has to download KMA™ but can use any modern browser

• All 3 certificates (signature, identity and encryption) are installed onto a USB token

I’ve already downloaded my hardware certificates, do I need KMA?

No, this change does not affect existing users who have already downloaded their digital certificates.

I have to renew my digital certificates for hardware token, do I need KMA?

Yes, you will need to install KMA before you can renew your certificates.

I use software certificates, do I need KMA?

No, software certificates do not need to download KMA

How do I self-check KMA™?

The self-test page will allow users to check their environment.  It helps users to understand and perform the steps to download and install KMA™ on their own computers.  It will also perform some nominal checks to ensure KMA™ is working properly.  To self-check KMA™, please visit

How do I install KMA?

The KMA application is packaged in a Microsoft Installer (MSI) which will guide you through the setup process.  Click here to learn how to install KMAKMA Quick Guide

Install KMA

To download and install KMA, click here.

MD5: 1d18dd7663501bf57799fc74993a4e87
SHA2: 8f650aa61e2fe31e5fc9572c3794aaaff6c584c8c7164d0863a28c8ddf8bb513

Is my system compatible with KMA?

The following operating systems and browsers are compatible with KMA:





MS Edge




Windows 10YesYesYes
Windows 8.1YesYesYes

*If you use Firefox to download KMA for software certificates, the certificates will be imported into OS key store.  Users will have to manually import the certificates into Firefox for 2FA into MAG.

Please note KMA cannot be downloaded using Internet Explorer (IE).

Downloadable Guides

FIS Product Guide: Full user guide on FIS product and how to download certificates. 

KMA Quick Guide: Quick guide on how to install KMA

KMA Release Notes

To view the release notes click here.

Common Errors

We encourage our users to check if any of the errors you are seeing is listed below before reaching to Exostar Customer Support.

Issue #1: I am trying to download the certificates and receive an error message:

Error displays when you attempt to download digital certificates and the KMA™ is not downloaded.  Try and download KMA, if you are unable to download KMA reach out to your system administrators to understand the policy for downloads.

How useful was this content?

Your Rating: Results: 1 Star 2 Star 3 Star 4 Star 5 Star 7 rates