The certificate chain

Anything and everything to do with DCP-o-matic.
gunnar
Posts: 81
Joined: Tue Apr 15, 2014 1:06 am

The certificate chain

Post by gunnar »

Hi,
About the certificate chain in DoM.
The default Organisation and Organisation unit is dcpomatic.com and other stuff there that says dcpomatic.com.
Can i rename those to my own website?
I took backup of the cinema and config file and then made a test, and did rename. Everything worked well, DKDM and KDM and all was still working.

But is this info there something that have to be or can i rename it to whatever i want?
Because when i then made update to the software then i had warning messages about this info was not how it should be.
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: The certificate chain

Post by Carsten »

As far as I know, you can put in it whatever you want when (re)creating the certificate. It is certainly advisable to put real/traceable information into it, so, not just a hypothetical <mypersonal.homepage.com>. It has no real technical implications. Chains are meant to trace back certification credibility, it has no implications on the technical aspects of encryption, decryption or KDMs.

You could, of course, apply for a 'real' personal certificate from one of the many authorities. However, some would probably need to publish some information on the do's and don'ts for this. Understanding these things so that you can make an educated decision probably needs a few hours worth of reading. Wolfgang Woehls pages have a few hints towards this, but they are not really a beginner's tale.

Just to make this sure - of course you can not mess with your certificate files/blocks in your config.xml, KDMs, etc. manually. The only way to add/change information is to recreate proper certs from within DCP-o-matic's certificate dialog in prefs. That makes sure your certs/chains are correct and work.

The recent certificate recreation popup after the upgrade was just a formal small issue with the signer certificate, Carl needed to get that straight for formal reasons.

If you do actual work with encryption and kdms, you should not change anything there lightheartedly, as it may ruin your work created previously and damage your reputation. No big deal to backup, do some tests with your own company data, the restore the previous certs. Once you know where you want to go, which domain to put in there (you will want to keep that domain registered to you forever), then draw a line and do a fresh start. Keep files on which work you did with which cert chain, etc. if possible.

- Carsten