DocsCertificates
Certificates

Digital certificates in C2PA

C2PA signing uses certificates and private keys to bind a manifest to media. C2PA Signer supports test certificates for demos and may use imported signing material for controlled workflows.

Certificate roles

What certificates prove and what they do not

Signature binding

A certificate helps verify that the manifest signature matches the public key associated with the signing material.

Chain context

The certificate path helps determine whether a signature can be linked to a recognized public trust source.

Not a truth verdict

A valid certificate does not prove that visual content is true. It supports provenance and integrity review.

Signing material

Test certificates and imported certificates

TypeUse caseTrust implication
Test certificateDemos, development, internal validation and learning workflows.Not public production trust. It should usually appear as Signed but untrusted.
Imported .p12 / .pfxControlled signing workflows with existing signing material.Trust depends on certificate properties and whether the chain is recognized.
Hardware-backed material SoonPlanned support for security token, smart card or managed key workflows.Will improve key handling when available, but public trust will still depend on the certificate chain.
Private key handling

Private keys should be handled carefully. Do not import production signing credentials into environments you do not control. Test certificates are for demos and development only.

Report fields

What to inspect in certificate details

01Subject and issuer

Who the certificate identifies and which authority issued it.

02Validity period

Whether the certificate is valid for the time being evaluated.

03Key usage and extensions

Whether certificate properties are compatible with the signing workflow.