Re: Is certificate expiration a problem ?
Posted: Sat Jul 23, 2022 9:41 pm
there are 2 problems
1. the certificate that signed the encrypted DCP has expired - some movie servers show such a DCP without any problems, some give an error.
2. the problem is that DKDM can also be expired.
With EasyDCP, everything is simple - it creates a digest where encryption keys are stored in clear text and they do not have an expiration date, unlike KDM. There is a ruby script with which you can extract the encryption keys and, for example, create a digest.
I see the problem with expired signature certificates only in the fact that it is better to make them immediately for 50-70 years, and for existing DCPs, just repack and re-sign with a new certificate.
I remember correctly that only CPL and PKL are signed by the certificate? and mxf files are simply encrypted with a 128bit key.
That is, in fact, you just need to re-sign the CPL PKL and make a new KDM - without changing the mxf yourself
1. the certificate that signed the encrypted DCP has expired - some movie servers show such a DCP without any problems, some give an error.
2. the problem is that DKDM can also be expired.
With EasyDCP, everything is simple - it creates a digest where encryption keys are stored in clear text and they do not have an expiration date, unlike KDM. There is a ruby script with which you can extract the encryption keys and, for example, create a digest.
I see the problem with expired signature certificates only in the fact that it is better to make them immediately for 50-70 years, and for existing DCPs, just repack and re-sign with a new certificate.
I remember correctly that only CPL and PKL are signed by the certificate? and mxf files are simply encrypted with a 128bit key.
That is, in fact, you just need to re-sign the CPL PKL and make a new KDM - without changing the mxf yourself