Skip to main content

Getting and using a signing certificate

Overview

For convenience, C2PA Tool, the Rust library, and the CAI prerelease libraries include one or more test certificates and private keys for use during development, typically in the tests/fixtures directory. While these test certificates and keys are useful during development and testing, for production deployment you must use your own private key and certificate.

Certificates and private keys are often stored on a hardware security module (HSM), a physical device that attaches directly to a computer or server and is used to securely manage and perform operations on cryptographic keys. A Key Management Service (KMS) is software used to manage keys in a networked environment. A KMS can be connected to a HSM for extra security. For example, the Python example application uses AWS KMS.

Purchasing a certificate

To create or modify Content Credentials, you must have a valid X.509 v3 security certificate and key that conform to the requirements laid out in the C2PA specification. You must purchase a certificate from a certificate authority (CA). There are many CAs; some popular ones are listed in Getting started.

When you purchase a certificate, you must select at least one of the extended key usage (EKU) fields that specify what the certificate can be used for: email protection and document signing. Applications that use the CAI SDK won't accept the certificate unless it has one of these EKUs.

The process to purchase a certificate and key is different for each CA: You might be able to simply click a "Buy" button on the CA's website. Or your can make your own key and use it to create a certificate signing request (CSR) that you send to the CA (see below). Regardless of the process, what you get back is a signed certificate that you use to create a certificate chain.

The certificate chain starts with the certificate from the last tool that signed the manifest (known as the "end-entity") followed by the certificate that signed it, and so on, back to the original CA issuer. This enables a validating application to determine that the manifest is valid because the certificate chain goes back to a trusted root certificate authority.

Certificate signing requests (CSRs)

A CSR is just an unsigned certificate that's a template for the certificate that you're requesting. The CA creates a new certificate with the parameters specified in the CSR, and signs it with their root certificate, which makes it a valid certificate.

A CSR comprises a public key, as well as "distinguished name" information that identifies the individual or organization requesting the certificate. The distinguished name includes a common name, organization, city, state, country, and e-mail address. Not all of these fields are required and will vary depending with the assurance level of the desired certificate.

tip

For the C2PA Verify tool to display your organization name in the Content Credentials, your CSR must include the "O" or Organization Name attribute in the distinguished name information. See below for details.

You sign the CSR with your private key; this proves to the CA that you have control of the private key that corresponds to the public key included in the CSR. Once the requested information in a CSR passes a vetting process and domain control is established, the CA may sign the public key to indicate that it can be publicly trusted.

Types of certificates

CAs offer a variety of different kinds of certificates (links below are to Digicert, but there are many other CAs):

Organization name

If you want the C2PA Verify tool to display your organization name in the Content Credentials, your certificate must include the "O" or Organization Name attribute (OID value 2.5.4.10) in the distinguished name information. The CA may require some validation steps to prove you are part of that organization (details vary by CA).

The C2PA Python example

The c2pa-python-example app provides an example of constructing a certificate signing request (CSR) and of using a certificate in a way suitable for a production environment.