Creating and using an X.509 certificate

The c2patool uses some custom properties in the manifest definition file for signing:

private_key: Path to the private key file.
sign_cert: Path to the signing certificate file.
alg: Algorithm to use, if not the default ES256.

Both the private key and signing certificate must be in PEM (privacy-enhanced mail) format. The signing certificate must contain a PEM certificate chain starting with the end-entity certificate used to sign the claim ending with the intermediate certificate before the root CA certificate.

If the manifest definition file doesn't include the sign_cert and private_key properties, c2patool uses a built-in certificate and private key. An example certifcate and private key file are also provided in the c2patool repo sample folder.

If you are using a signing algorithm other than the default es256, specify it in the manifest definition field alg with one of the following values:

ps256
ps384
ps512
es256
es384
es512
ed25519

The specified algorithm must be compatible with the values of private key and signing certificate. For more information, see Signing manfiests.

Instead of specifying the values in manifest definition file properties, you can put the values of the key and cert chain in two environment variables: C2PA_PRIVATE_KEY for the private key and C2PA_SIGN_CERT for the public certificates. For example, to sign with ES256 signatures using the content of a private key file and certificate file:

set C2PA_PRIVATE_KEY=$(cat my_es256_private_key)
set C2PA_SIGN_CERT=$(cat my_es256_certs)