MultiCertKeyProvider is a KeyProvider plugin for KeePass.
This plugin returns an AES key encrypted with the X509 certificates (RSA keys) of one or more users stored in an XML file ([database].kmx) decrypted to KeePass. KeePass uses this AES key and possibly other specified parameters (password, file) to encrypt the passwords.
After selecting an X509 certificate, the plugin searches the XML file for the subject of the certificate, reads the corresponding encrypted entry with the AES key and decrypts it with the private key of the certificate.
Each XML entry in the XML file represents an AES key encrypted with an X509 certificate. The KeyManagerRSA application is available for managing the XML entries in the XML file.
Example of the content of a key file (simplified)
<keys> <key> <subject>User 1 </subject> <key>AESKey_encrypted_with_X509-Certificate</key> </key> <key> <subject>User 1+n </subject> <key>AESKey_encrypted_with_X509-Certificate</key> </key> </keys>