information technology central services at the university of michigan

KX.509: X.509 certificates via Kerberos

KX.509: Convenient, Secure, Inter/Intra-Institutional Web Authentication

download kx.509 (for use on Windows with MIT's KfW)

(Installer for MSIE and
optionally Netscape Browsers)
(MIT KfW K5)

download kx.509 (for use on Windows with MIT's KfW)

(Version KFWK5 #17)
(MIT KfW K5)

download kx.509 (for use on Windows with Microsoft's Pass-Thru Kerberos-5 Authentication)

(Version MSK5 #11)
(Microsoft K5)

download kx.509 source

K.X509 Project

KX.509 is an open source project designed to provide the University of Michigan with a secure means of acquiring short-term X.509 certificates that are Kerberos authenticated. See the download page for download links.

Features include:

  • KX.509 itself never needs passwords. Instead, one is is expected to use one's password to obtain Kerberos tickets via other system software (ex. Leash for KfW, Microsoft's GINA for Microsoft's kerberos credential cache).
  • Users need only authenticate once per machine login to be able to silently authenticate to web-servers that are using X.509 authentication, eliminating the need to volunteer ones password when solicited by web sites.
  • Since ones password is never offered, compromise of web-servers that one has authenticated to doesn't compromise ones password.
  • Windows only -- When a certificate is about to expire, KX.509 attempts to automatically use current Kerberos tickets to acquire a new one. Depending on whether this succeeds or fails, KX.509 updates its Tray Icon to be either a green certificate (succeeded) or a red, crossed-out one (failed).
  • Ones KX.509-acquired certificate is automatically removed when one logs out.

Contact: kx509-feedback at

KX.509 is freely available and distributed under an open source license: license.txt

KX.509 is included in National Science Foundation Middleware Initiative (NMI) EDIT software release. NMI Logo