Exostar Key Management Agent™ (KMA)

What is KMA™?

Exostar Key Management Agent (KMA™) is a Java based application developed by Exostar. KMA™ replaces ActiveX as your tool for downloading digital certificates on your hardware token.

Users will need to use Exostar KMA™ to download and install certificates on to USB PKI hardware tokens (i.e., MLOA hardware). For Software or Disk-based PKI Identity and Email certificates you do not need to install and use KMA.
To self-check KMA™ click here.

Exostar offers various types of authenticators to access services including Managed Access Gateway (MAG). Some of the authenticators Exostar offers are:

USB PKI hardware tokens (Medium Level of Assurance MLOA hardware)
Software or Disk-based PKI Identity
Email certificate (Basic Level of Assurance BLOA software)
OTP hardware tokens and mobile application (phone-based OTP authenticators)

Who should install KMA™?

You will need to download and install KMA™ if you are:

A MAG user downloading digital certificates for hardware token for the first time
A MAG user renewing digital certificates for hardware token
An Enterprise Proofer

Level of Assurance	Requirements
Basic Level of Assurance (BLOA) Software BLOA SecureEmail Software	• Does not require in-person identity check (no proofing required) • User does not have to download KMA™ • Identity certificates are stored on the user’s computer
Medium Level of Assurance (MLOA) Software	• In-person proofing required • User does not have to download KMA™ • All 3 certificates (signature, identity and encryption) are installed on the user’s computer
Medium Level of Assurance (MLOA) Hardware	• In-person proofing required • User has to download KMA™ but can use any modern browser • All 3 certificates (signature, identity and encryption) are installed onto a USB token

How do I install KMA™?

The KMA™ application is packaged in a Microsoft Installer (MSI) file which will guide you through the setup process.

To download and install KMA™, click the link –
https://portal.exostar.com/kma/ExostarKeyManagementAgentDesktop-1.0.76.msi

To download and install Corporate KMA™, click the link – https://portal.exostar.com/kma/ExostarKeyManagementAgentDesktop-corporate-1.0.76.msi

KMA Version	Details
KMA Desktop	ExostarKeyManagementAgentDesktop-1.0.76.msi MD5: 0ca47d16eb1377ec5f0f9cd5497fdc69 ExostarKeyManagementAgentDesktop-1.0.76.msi SHA2: 128f74a20153fee07163e646205bf7ee99fe30a8fb3077e24c0098b025c026e5
KMA Corporate	ExostarKeyManagementAgentDesktop-corporate-1.0.76.msi MD5: 9f6d649220b3b2a026f4a1828cc8469f ExostarKeyManagementAgentDesktop-corporate-1.0.76.msi SHA2: 5dad2e91ca2b129a8622b99bf1d01ca4c0f12e5e137b1e26f1af3577566bc2b8
DMG	Exostar KMA-1.0.76.dmg MD5: b7cdd9be57c8d6bd9cd224589e92ea56 Exostar KMA-1.0.76.dmg SHA2: cb96fd9c40f339b7de9787dfd07ac145271e41dc6b159424ae4c166c2bde3a1d OSX download link: https://portal.exostar.com/kma/Exostar%20KMA-1.0.76.dmg

Is my system compatible with KMA™?

The following operating systems and browsers are compatible with KMA™:

Operating System	Chrome (132.0.6834.15)	MS Edge (131.0.2903.63)	Firefox* (132.0.2)
Windows 11	Yes	Yes	Yes
Windows 10	Yes	Yes	Yes
Windows 8.1	Yes	Yes	Yes

*NOTE: If you use Firefox to download KMA™ for software certificates, the certificates will be imported into OS key store. Users will have to manually import the certificates into Firefox for 2FA into MAG.

Frequently Asked Questions

I’ve already downloaded my hardware certificates, do I need KMA™?

No. This change does not affect existing users who have already downloaded their digital certificates.

Do I need Administrator rights to install KMA™?

No. However depending on your company IT rules you may or may not need Admin rights to download KMA to your computer.

What is the latest version of KMA™?

The latest version of Exostar’s KMA™ is 1.0.76.

I have to renew my digital certificates for hardware token, do I need KMA™?

Yes, you will need to install KMA™ before you can renew your certificates.

I use software certificates, do I need KMA™?

No, software certificates do not need to download KMA™.

I have to use the Thales eToken 5110+ (FIPS 140-2 Certified) token, do I need any software updates?

Yes, you will need two updates, please install the latest versions of these applications below:
1. Exostar SafeNet Client
2. Exostar KMA™

How do I self-check KMA™?

The self-test page will allow users to check their environment. It helps users to understand and perform the steps to download and install KMA™ on their own computers. It will also perform some nominal checks to ensure KMA™ is working properly. To self-check KMA™, please visit https://portal.exostar.com/credmgr/pages/myAccount/kma/.

Is KMA™ compatible with existing Smart Card readers installed in my system?

Yes. KMA operates properly when a Smart Card reader (including CAC Card readers) is installed in your system.

Does KMA™ work if your Smart Card (i.e., CAC card) is inserted in your system?

Yes. When you login KMA operates properly when the Smart Card itself (including CAC Card) is installed in your system. However during the MLOA Hardware token setup when you load your digital certificates, KMA does not recognize the token. For the token to be recognized, the Smart Card needs to be removed temporarily.

Common Issues

We encourage our users to check if any of the errors you are seeing is listed below before reaching to Exostar Customer Support.

Issue 1: I am trying to download the certificates and receive an error message

Error displays when you attempt to download digital certificates and the KMA™ is not downloaded. Try and download KMA™, if you are unable to download KMA™ reach out to your system administrators to understand the policy for downloads.

Issue 2: Is KMA™ software vulnerable to log4j issue CVE-2021-44228?

No, the current KMA™ version uses log4j v2.17.1 hence it is not vulnerable to above mentioned CVE. Make sure you are running latest version on KMA software.

Downloadable Guides

FIS Product Guide: Full user guide on FIS product and how to download certificates.

Updated on February 3, 2025

Was this article helpful?

Yes No