Skip to main content

Issue C2PA claim signing certificates

To perform this action, you must have a user role that contains the Solution administrator permission.

This topic explains how to configure DigiCert​​®​​ Device Trust Manager and DigiCert CertCentral® to issue C2PA claim signing certificates and use them to sign and validate content.

C2PA (Coalition for Content Provenance and Authenticity) is an open technical standard that embeds tamper-evident provenance metadata—called Content Credentials—into digital assets such as images and videos. It defines a framework for recording how content was created, edited, and verified, enabling consumers and platforms to distinguish authentic media from manipulated or AI-generated content.

For full specifications and tools, see:

Adding C2PA support to cameras gives manufacturers a strong competitive advantage. It allows them to embed secure, tamper-evident provenance the moment an image is captured—something only the camera hardware can provide.

Device Trust Manager supports issuing C2PA level 1 claim signing certificates, allowing manufacturers to integrate Content Credentials into camera and video devices.

Benefits

  • C2PA certificate issuance: Issue enterprise-grade C2PA level 1 claim signing certificates that embed signed authenticity data into images and videos.

  • On-camera signing: Store the certificate and private key on the device. Signing occurs locally; no cloud service is required.

  • Global trust infrastructure: DigiCert's C2PA root certificates are included in official C2PA Trust Lists, enabling instant recognition and immediate verification.

  • Custom PKI integration: Integrate with Device Trust Manager without changing your camera manufacturing process. It supports all major issuance protocols (EST, SCEP, ACME, CMPv2, or REST, so it fits seamlessly into your existing workflows.

  • Trusted timestamp authority: Add verifiable timestamps using DigiCert’s C2PA-compliant TSA.

Before you begin

  • Set up your account for C2PA: Contact your DigiCert account representative to set up your account for C2PA claim‑signing certificate issuance

  • List your device in the C2PA Conforming Products List: Your device must be listed on the C2PA Conforming Products List before DigiCert can issue a C2PA claim‑signing certificate. For details, see C2PA Conformance Program

  • Complete organizational validation: DigiCert must validate your organization, including verification that your device appears on the C2PA Conforming Products List

    Important

    The organization name you submit to C2PA must exactly match the legal name registered with the government in your organization’s home country. DigiCert must confirm that your organization is officially registered and in good standing before issuing C2PA certificates that include your organization name.

  • Provision required certificate authorities: A DigiCert system administrator will add the RSA or ECC DigiCert Roots for C2PA and the DigiCert L1 Claim Signing ICAs for C2PA to your account. These are registered on the C2PA Trust List

  • Review key Device Trust Manager concepts: Ensure you’re familiar with:

    If you are missing any of the above, contact your DigiCert account representative or DigiCert support.

Configure CertCentral and Device Trust Manager to issue C2PA certificates

Perform the following steps to configure CertCentral and Device Trust Manager to issue C2PA claim signing certificates.

Step 1: Set up CertCentral

  1. Sign in to CertCentral.

    If you don’t have a CertCentral account, create one using https://www.digicert.com/account/signup/standard/

  2. In CertCentral, in the left main menu, go to Certificates > Organizations.

  3. Create a new organization or edit an existing one.

  4. Save the organization details.

    Note

    Ensure the organization details you provide in CertCentral exactly matches the information registered in the C2PA Conforming Products List.

  5. In CertCentral, in the left main menu, go to Certificates > Organizations.

  6. Open the organization and select Submit for organization validation:

    1. Enable the C2PA-C2PA Organization Validation checkbox.

    2. Select your generator product (synchronized daily from the C2PA Conforming Products List).

      Important

      You cannot submit your organization for C2PA validation unless the organization name in CertCentral exactly matches the name on the Conforming Products List.

    3. Select Submit for Validation.

You will be notified when validation is complete. Once validation is complete, proceed to Step 2.

Step 2: Create a CertCentral API key

  1. Sign in to DigiCert CertCentral®.

  2. In CertCentral, in the left menu, go to Automation > API Keys.

  3. On the API Keys page, select Add API Key.

  4. In the Add API Key window, enter a Description for the API key and select Add.

    The description could be the name of the app or the user you are linking the key to. For example, C2PA Connector Key.

  5. In the User menu, link the API key to either a Service User or Users.

  6. Leave the API key restrictions menu blank (None).

  7. Select Add API Key.

  8. In the New API Key window, copy the API Key.

  9. Save the API key in a secure location.

    Note

    The API keys are shown only once, do not leave this page until you have copied the API Key and stored it in a secure location.

  10. After saving the API key (or keys), select I understand I will not see this again.

Step 3: Create a CA connector for CertCentral in Device Trust Manager

  1. Sign in to DigiCert ONE.

  2. In the Managers (grid icon) menu, select Device Trust.

  3. In the Device Trust Manager menu, go to Integrations > CA connectors.

  4. Select Create CA connector.

  5. Provide a Nickname.

    For example, C2PA Connector.

    Tip

    If your Device Trust Manager account requires more than one CA connector, give the CA connector a distinct and recognizable name so you can easily identify it when setting up certificate and enrollment profiles.

  6. Optionally, provide a description.

  7. For the CA source, select CertCentral API.

  8. Enter your CertCentral API key that you obtained in Step 2.

  9. Select Create CA connector.

Your newly created CA connector is listed under Integrations > CA connectors.

Step 4: Create a certificate profile and a certificate management policy

  1. In the Device Trust Manager menu, go to Certificate management > Certificate settings > Certificate templates.

  2. Select Create.

  3. Select the CA connector template that you created as part of Step 3, and proceed to the Certificate profile creation section.

    Tip

    By default, the CA connector templates are grouped under CertCentral API. Use the Filter to select CertCentral API from the dropdown box.

  4. Select Create certificate profile.

  5. Enter a Name for the certificate profile.

  6. For the CA connector certificate profile, select C2PA Generator from the dropdown list.

  7. Select which divisions can use this certificate profile.

    1. All divisions: The certificate profile is available for use by all divisions in the account, making it an account-wide profile.

    2. Specific divisions: Select one or more divisions that should have access to the certificate profile. The profile will only be available to the chosen divisions.

  8. Configure other parameters as needed. For example, you could customize the Signature algorithms, Certificate validity, and Renewal settings.

  9. When done, select Next to proceed to the Advanced certificate profile settings section.

  10. Under Advanced certificate profile settings, select the name of the organization.

    Note

    Only organization names that have been pre-validated for C2PA in your CertCentral account are listed.

  11. Select the Registered Product ID.

    Note

    This list includes product IDs from the C2PA Conforming Products List that match the selected organization.

  12. When done, select Next > Create and select to create the certificate profile and proceed to the Certificate management policy creation section.

  13. Enter a Name for the certificate management policy.

  14. Choose a Division to assign this certificate management policy.

  15. For the Certificate management model, select Policy will be used for certificate issuance only. Requires an Essentials license.

  16. Select Single certificate request through portal and REST API for the Certificate management methods.

  17. When done, click Next to proceed to the Certificate settings section.

  18. Verify the summary of the certificate profile settings you have selected.

  19. When done, select Next > Create certificate management policy to create a certificate management policy.

Request a claim signing certificate

Important

The C2PA Certificate Policy prohibits the CA from generating private keys for claim signing certificates. You must generate the private key and submit a Certificate Signing Request (CSR).

  1. In the Device Trust Manager menu, go to Certificate management > Certificates.

  2. Select Certificate Actions > Request a certificate.

  3. Under the Certificate management policy dropdown box, select the certificate management policy you have created earlier as part of Step 4.

  4. Under the I have the keypair and will provide the CSR or public key in the request, upload a CSV file or a zipped CSV containing the required data.

  5. When done, select Submit certificate request.

To generate an ECC P-256 key pair and CSR:

openssl ecparam -name prime256v1 -genkey -noout -out key.pem
openssl req -new -key key.pem -out csr.pem

Important

Any values you include in your CSR (such as CN, O, C), and so on will be overridden by the certificate policy settings you have defined. This is intentional, to ensure your certificate complies with the C2PA Certificate Policy.

Key details:

  • Subject Name: The C (Country), O (Organization), and CN (Common Name) will match the CPL entry for your product.

  • Key Usage:

    • digitalSignature

    • nonRepudiation

  • Extended Key Usage:

    • claimSigning

    • emailProtection or documentSigning

  • Certificate Policies:

    • Includes: 1.3.6.1.4.1.62558.1.1

    • 1.3.6.1.4.1.62558.3 is set to: 1.3.6.1.4.1.62558.10

    • 1.3.6.1.4.1.62558.4 is set to the Record ID (UUID) from your product’s CPL entry

Sign and validate the Image

  1. Sign the image

    Use the C2PA tool (or your own tool) to sign the image with the claim signing certificate issued by DigiCert.

  2. Validate the image

    Upload the signed image to C2PA Verify to confirm that the signature is valid.

FAQs

Are there API limits for requesting C2PA certificates?

  • Device Trust Manager: No API limits

  • CertCentral: API rate limits apply per API key:

    • 100 requests per 5 seconds (burst limit)

    • 1000 requests per 3 minutes (rolling window)

For more details, see Rate Limits.

For more information

In this section: