Digital certificates in C2PA
C2PA signing uses certificates and private keys to bind a manifest to media. C2PA Signer supports test certificates for demos and may use imported signing material for controlled workflows.
Certificate roles
What certificates prove and what they do not
Signature binding
A certificate helps verify that the manifest signature matches the public key associated with the signing material.
Chain context
The certificate path helps determine whether a signature can be linked to a recognized public trust source.
Not a truth verdict
A valid certificate does not prove that visual content is true. It supports provenance and integrity review.
Signing material
Test certificates and imported certificates
| Type | Use case | Trust implication |
|---|---|---|
| Test certificate | Demos, development, internal validation and learning workflows. | Not public production trust. It should usually appear as Signed but untrusted. |
| Imported .p12 / .pfx | Controlled signing workflows with existing signing material. | Trust depends on certificate properties and whether the chain is recognized. |
| Hardware-backed material | Planned support for security token, smart card or managed key workflows. | Will improve key handling when available, but public trust will still depend on the certificate chain. |
Private keys should be handled carefully. Do not import production signing credentials into environments you do not control. Test certificates are for demos and development only.
Report fields
What to inspect in certificate details
Who the certificate identifies and which authority issued it.
Whether the certificate is valid for the time being evaluated.
Whether certificate properties are compatible with the signing workflow.