Skip to main content

C2PA PKI Configuration Guide

This guide provides a step-by-step procedure for configuring OTPKI to issue certificates that conform to the Coalition for Content Provenance and Authenticity (C2PA) specification, version 2.x. C2PA is an open technical standard for attaching tamper-evident provenance metadata to digital media — images, video, audio, and documents. Every piece of C2PA-signed content is signed by a signer credential: an end-entity X.509 certificate that must meet the requirements described below.

X.509 Certificate Requirements for C2PA

C2PA defines strict requirements for all certificates in a signing chain (spec §14.5). End-entity signer certificates must additionally carry the c2pa-kp-claimSigning EKU (spec §14.4.1).

C2PA Root CA

x509 Field / ExtensionRequirement
versionv3
signatureAlgorithmECDSA (SHA2 variants), RSA (PSS or SHA2 variants)
subjectNameRequires C, O, CN attributes
issuerNameMatches subject name
validityPeriodLong-term, e.g. 20y
subjectPublicKeyInfoECDSA P-384/P-521, RSA ≥ 3072-bit
basicConstraintsMUST be present and MUST be critical; cA=TRUE, pathLenConstraint=2 or less
authorityKeyIdentifierMUST be present (RFC 5280 Method 1 - SHA1)
subjectKeyIdentifierMUST be present (RFC 5280 Method 1 - SHA1)
keyUsageMUST be present and MUST be critical; keyCertSign, cRLSign
certificatePoliciesoptional; critical=false
AIAMUST NOT be present
CDPMUST NOT be present

C2PA Claim Signing Issuing CA

x509 Field / ExtensionRequirement
versionv3
signatureAlgorithmECDSA (SHA2 variants), RSA (PSS or SHA2 variants)
subjectNameRequires C, O, CN attributes
issuerNameMatches subject name of Root CA
validityPeriodMax 1827 days
subjectPublicKeyInfoECDSA P-384/P-521, RSA ≥ 3072-bit
basicConstraintsMUST be present and MUST be critical; cA=TRUE, pathLenConstraint=0
authorityKeyIdentifierMUST be present (RFC 5280 Method 1 - SHA1)
subjectKeyIdentifierMUST be present (RFC 5280 Method 1 - SHA1)
keyUsageMUST be present and MUST be critical; keyCertSign, cRLSign
extendedKeyUsageMUST NOT be critical; MUST contain c2pa-kp-claimSigning in addition to at least one of id-kp-emailProtection, id-kp-documentSigning
certificatePoliciesMUST contain c2pa-certificate-policy OID (1.3.6.1.4.1.62558.1.1). Qualifiers optional; critical=false
AIAMUST be present (if CDP is not present); critical=false
CDPMUST be present (if AIA is not present); critical=false

C2PA TSA Issuing CA

x509 Field / ExtensionRequirement
versionv3
signatureAlgorithmECDSA (SHA2 variants), RSA (PSS or SHA2 variants)
subjectNameRequires C, O, CN attributes
issuerNameMatches subject name of Root CA
validityPeriodMax 5479 days
subjectPublicKeyInfoECDSA P-384/P-521, RSA ≥ 3072-bit
basicConstraintsMUST be present and MUST be critical; cA=TRUE, pathLenConstraint=0
authorityKeyIdentifierMUST be present (RFC 5280 Method 1 - SHA1)
subjectKeyIdentifierMUST be present (RFC 5280 Method 1 - SHA1)
keyUsageMUST be present and MUST be critical; keyCertSign, cRLSign
extendedKeyUsageMUST NOT be critical; MUST contain id-kp-timeStamping
certificatePoliciesMUST contain c2pa-certificate-policy OID (1.3.6.1.4.1.62558.1.1). Qualifiers optional; critical=false
AIAMUST be present (if CDP is not present); critical=false
CDPMUST be present (if AIA is not present); critical=false

C2PA OCSP Responder

x509 Field / ExtensionRequirement
versionv3
signatureAlgorithmECDSA (SHA2 variants), RSA (PSS or SHA2 variants)
subjectNameRequires C, O, CN attributes
issuerNameMatches subject name of signing ICA
validityPeriodSpecific dates set at generation (Max duration not specified by C2PA profile)
subjectPublicKeyInfoECDSA P-256/P-384/P-521, RSA ≥ 2048-bit
basicConstraintsMUST be present and MUST be critical; cA=FALSE
keyUsageMUST be present and MUST be critical; digitalSignature
extendedKeyUsageMUST NOT be critical; MUST contain id-kp-OCSPSigning
subjectKeyIdentifierMUST be present
authorityKeyIdentifierMUST be present
AIAMUST NOT be present
CDPMUST NOT be present

C2PA Claim Signing Leaf Certificates - Assurance Level 1

x509 Field / ExtensionRequirement
versionv3
signatureAlgorithmECDSA (SHA2 variants), RSA (PSS or SHA2 variants), Ed25519
subjectNameMust match C2PA Conforming Products List (CPL) entry. Requires C, O, CN attributes.
issuerNameMatches subject name of Claim Signing ICA
validityPeriodMax 366 days ⚠️
subjectPublicKeyInfoECDSA P-256/P-384/P-521, RSA ≥ 2048-bit, Ed25519
basicConstraintsMUST be present and MUST be critical; cA=FALSE
keyUsageMUST be present and MUST be critical; digitalSignature, nonRepudiation
extendedKeyUsageMUST NOT be critical; MUST contain c2pa-kp-claimSigning, SHOULD contain one of id-kp-emailProtection, id-kp-documentSigning for backwards compatibility
subjectKeyIdentifierMUST be present
authorityKeyIdentifierMUST be present
certificatePoliciesMUST contain c2pa-certificate-policy OID (1.3.6.1.4.1.62558.1.1). Qualifiers optional; critical=false
AIAMUST be present; accessMethod=id-ad-caIssuers. accessLocation must be HTTP URI
CDPSHOULD NOT be present
C2PA Assurance Level (id-c2pa-al)OID: 1.3.6.1.4.1.62558.3,
Value: 1.3.6.1.4.1.62558.3.10 (c2pa-assuranceLevel-1) ⚠️
C2PA CPL Record ID (c2pa-cpl-record)OID: 1.3.6.1.4.1.62558.4, Value: UTF8String (SIZE 36) containing UUID from CPL

C2PA Claim Signing Leaf Certificates - Assurance Level 2

x509 Field / ExtensionRequirement
versionv3
signatureAlgorithmECDSA (SHA2 variants), RSA (PSS or SHA2 variants), Ed25519
subjectNameMust match C2PA Conforming Products List (CPL) entry. Requires C, O, CN attributes.
issuerNameMatches subject name of Claim Signing ICA
validityPeriodMax 90 days ⚠️
subjectPublicKeyInfoECDSA P-256/P-384/P-521, RSA ≥ 2048-bit, Ed25519
basicConstraintsMUST be present and MUST be critical; cA=FALSE
keyUsageMUST be present and MUST be critical; digitalSignature, nonRepudiation
extendedKeyUsageMUST NOT be critical; MUST contain c2pa-kp-claimSigning, SHOULD contain one of id-kp-emailProtection, id-kp-documentSigning for backwards compatibility
subjectKeyIdentifierMUST be present
authorityKeyIdentifierMUST be present
certificatePoliciesMUST contain c2pa-certificate-policy OID (1.3.6.1.4.1.62558.1.1). Qualifiers optional; critical=false
AIAMUST be present; accessMethod=id-ad-caIssuers. accessLocation must be HTTP URI
CDPSHOULD NOT be present
C2PA Assurance Level (id-c2pa-al)OID: 1.3.6.1.4.1.62558.3,
Value: 1.3.6.1.4.1.62558.3.20 (c2pa-assuranceLevel-2) ⚠️
C2PA CPL Record ID (c2pa-cpl-record)OID: 1.3.6.1.4.1.62558.4, Value: UTF8String (SIZE 36) containing UUID from CPL
Revocation

C2PA requires OCSP-based revocation status — CRLs are not permitted by the specification (§14.5.2). Your Issuing CA should publish an OCSP responder and include the AIA extension in all issued signer certificates. Configure the AIA extension in the certificate profile and your CA's OCSP publishing settings.


Create an Issuance CA

Follow the 3-Tier PKI Tree Guide to build a Root CA, Claim Signing Issuing CA, and TSA CA. This is technically a 2-tier PKI, but both ICA and TSA CA will be issued by the Root CA for C2PA deployments:

Root CA  (Tier 1 — self-signed)
└── C2PA Timestamp Authority CA (Tier 2 — issues TimeStamp Signing certificates)
└── C2PA Claim Signing Issuing CA (Tier 2 — issues Claim Signing certificates)

Use ECDSA P-384 keys for all CAs. P-384 is recommended for the Root and Issuing CAs given their balance of cryptographic strength and performance.


Create the C2PA Signer Certificate Profile

Navigate to ProfilesCertificate Profiles and click Create. Configure a profile for the OCSP Responder and the two Assurance Levels for Claim Signers, as described above. Refer to the Certificate Profiles page for a full description of every profile field.


Next Steps

Once the profile is saved and the Issuing CA is active, signer credentials can be issued against this profile. The resulting certificate chain (end-entity + intermediate CA certs, excluding the Root CA) should be included in the x5chain COSE header of each C2PA Manifest that the signer produces, as required by §14.5 of the specification.