Is certificate expiration a problem ?

Anything and everything to do with DCP-o-matic.
barber
Posts: 46
Joined: Fri Apr 15, 2016 4:03 pm

Is certificate expiration a problem ?

Post by barber »

Hello,

I have some old DCPs whose certificates have now reached their end of validity. These are encrypted DCPs still in circulation in theaters so I am wondering whether it could cause validation issues or prevent completely the playback on some servers. The KDM service I use doesn't care about it and I can still issue KDMs. But a projectionist told me today one of those DCPs could not be played, the error was "the content have not been validated".

Are you aware of what happens precisely when a certificate expires ?

Thanks in advance for your answers,
Dan
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Is certificate expiration a problem ?

Post by Carsten »

It entirely depends on the specific server and software, and also to some extent wether they are SMPTE or Interop.
If they are still circulating in theatres and are encrypted - are you able to create a new encrypted version? Which certs actually do expire?

- Carsten
barber
Posts: 46
Joined: Fri Apr 15, 2016 4:03 pm

Re: Is certificate expiration a problem ?

Post by barber »

Thanks Carsten. Yes I'm able to create new versions, and I will if expired certs turn out to be a serious problem, but it promises to be a big amount of work as I have 3 000 encrypted DCPs (both Interop and SMPTE) and I have to figure out how much are affected or will be in a near future. That's why I'm looking to know the probability of such DCPs being problematic.
On the specific DCP that generated an error all the certificate chain in PKL and CPL expired.

Best,
Dan
carl
Site Admin
Posts: 2548
Joined: Thu Nov 14, 2013 2:53 pm

Re: Is certificate expiration a problem ?

Post by carl »

It should be possible to make a fairly automated way to re-wrap DCPs using some combination of DCP-o-matic's command-line tools, if that's the part you are worried about.
IoannisSyrogiannis
Posts: 185
Joined: Mon Nov 13, 2017 8:40 pm

Re: Is certificate expiration a problem ?

Post by IoannisSyrogiannis »

I guess that would run via dcpomatic2_create.
Is that -more or less- something that is covered by combining existing set of commands, or something to be implemented?

I guess that such matters arise, as content and technology are getting older.
Not only with DCP certificates, but with media blocks' ones also.
barber
Posts: 46
Joined: Fri Apr 15, 2016 4:03 pm

Re: Is certificate expiration a problem ?

Post by barber »

carl wrote: Tue Apr 26, 2022 5:50 pm It should be possible to make a fairly automated way to re-wrap DCPs using some combination of DCP-o-matic's command-line tools, if that's the part you are worried about.
Hi Carl, yes I would be interested in such a (semi-)automated way. Can the tools guess the container ratio or does it have to be scripted (using the name of the old DCP folder e.g.)?
My other main concern is to identify which DCPs have expired certs.
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Is certificate expiration a problem ?

Post by Carsten »

You should probably send one of these DCPs to Carl for him to take a look. Don't know if the CLI tools are ready in their current state for a full rewrap, but it probably shouldn't be complicated. I think ASDCP CLI tools should also be capable of this.

When have the earliest of these DCPs been created ? And was that with DCP-o-matic ?

- Carsten
barber
Posts: 46
Joined: Fri Apr 15, 2016 4:03 pm

Re: Is certificate expiration a problem ?

Post by barber »

Hi Carsten,

The earliest DCPs are from 2012, created by various software: easyDCP, Wailua, Clipster, OpenCube, Doremi... but none with DOM. Most of their expiration dates seem to be at the end of 2021. I'll send one of them to Carl, yes.

Can the ASDCP tools alone re-sign an encrypted DCP and issue a new DKDM?

Best,
Dan
barber
Posts: 46
Joined: Fri Apr 15, 2016 4:03 pm

Re: Is certificate expiration a problem ?

Post by barber »

Another theater just told me they could not ingest a DCP - we've been distributing it since 2012 without any problem, but its certificates expired last December. It was created with OpenDCP.
For the record that theater has a Sony SRX-R320P. The DCP ingests and runs smoothly on our NEC NC900C with Doremi ShowVault.
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Is certificate expiration a problem ?

Post by Carsten »

I guess it's not easy to develop the proper strategy. You could just as well wait and recreate as issues come in.

- Carsten