Is certificate expiration a problem ?

Anything and everything to do with DCP-o-matic.
igit
Posts: 18
Joined: Wed Sep 18, 2019 12:35 pm

Re: Is certificate expiration a problem ?

Post by igit »

there are 2 problems
1. the certificate that signed the encrypted DCP has expired - some movie servers show such a DCP without any problems, some give an error.
2. the problem is that DKDM can also be expired.
With EasyDCP, everything is simple - it creates a digest where encryption keys are stored in clear text and they do not have an expiration date, unlike KDM. There is a ruby ​​script with which you can extract the encryption keys and, for example, create a digest.
I see the problem with expired signature certificates only in the fact that it is better to make them immediately for 50-70 years, and for existing DCPs, just repack and re-sign with a new certificate.
I remember correctly that only CPL and PKL are signed by the certificate? and mxf files are simply encrypted with a 128bit key.
That is, in fact, you just need to re-sign the CPL PKL and make a new KDM - without changing the mxf yourself
Carsten
Posts: 2648
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Is certificate expiration a problem ?

Post by Carsten »

We actually ran into problems with signing certs extending into the 2040s already. We have two systems that deny playout when longer cert durations are used. Thus the default signing cert duration for DCP-o-matic has now been reduced into the 2030's.
barber
Posts: 46
Joined: Fri Apr 15, 2016 4:03 pm

Re: Is certificate expiration a problem ?

Post by barber »

Hi,
Yes, re-signing is easy with easyDCP but it cannot be done with their CLI so batch processing is not possible.
It would be possible to use openssl to at least detect the expired certs in a batch of DCPs - I have to check.

Do you have a link to the DKDM>Digest ruby script you're talking about, igit?

Best,
Dan
igit
Posts: 18
Joined: Wed Sep 18, 2019 12:35 pm

Re: Is certificate expiration a problem ?

Post by igit »

barber wrote: Tue Jul 26, 2022 3:24 pm Hi,
Yes, re-signing is easy with easyDCP but it cannot be done with their CLI so batch processing is not possible.
It would be possible to use openssl to at least detect the expired certs in a batch of DCPs - I have to check.

Do you have a link to the DKDM>Digest ruby script you're talking about, igit?

Best,
Dan
https://github.com/wolfgangw/digital_ci ... encryption
https://github.com/wolfgangw/digital_ci ... decrypt.rb
Post Reply