Smartcards and PKCS #11 are an appealing solution for combined storage and certificate management at the enduser level. Many applications use PKCS #11 primitives for security reasons: a popular browser, like Netscape Navigator contain a PKCS #11 cryptographic module that plays a critical role in secure web surfing and e-mail signing and encryption. Nevertheless, most market-ready solutions ([SMARTSIGN], [GPKPKCS#11], [SLBCBPKCS#11]) use non-programmable cards or else do not exploit the card's programmable capabilities. Instead they utilize cryptographic functions built into the card. This results in applications having the card manufacturer's semantics instead of PKCS #11 semantics.In this article we present our work: Java Card Certificate Management (JCCM). JCCM moves PKCS #11 middleware into the card itself. This results in greater flexibility and less implementation dependence for applications. We have developed JCCM for two cards: the GemXpresso RAD 211is and the Cyberflex for Linux Starter's Kit 2.1. We have also developed the corresponding dynamic library for Netscape enabling our endusers to use JCCM in their daily.