I am trying to open an uncrypted DCP with a KDM I was issued. I get the error "kdm was made for dcp-o-matic but not for its leaf certificate".
What does it mean? do I need to ask the issuer of the DKMD for a new DKDM (and what did they do wrong?) or can I subvert this somehow?
"kdm was made for dcp-o-matic but "not for its leaf certificate"
-
- Posts: 45
- Joined: Thu Feb 16, 2017 11:07 am
-
- Posts: 2804
- Joined: Tue Apr 15, 2014 9:11 pm
- Location: Germany
Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"
In order for 'someone' to issue a KDM for your DCP-o-matic installation, you have to supply your DCP-o-matic certificate to them. You probably did that, but gave them the wrong certificate - maybe the root or intermediate certificate. In order to decrypt a DCP, it needs to be the leaf certificate.
That - or there is a bug in DCP-o-matic. I suggest you export the leaf certificate only, send it to them, and let them reissue the KDM.
- Carsten
That - or there is a bug in DCP-o-matic. I suggest you export the leaf certificate only, send it to them, and let them reissue the KDM.
- Carsten
-
- Posts: 45
- Joined: Thu Feb 16, 2017 11:07 am
Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"
Well, indeed, I sent them both my leaf certificate and the certificate chain (I saw it recomended here to send the whole chain, but apparently, it has its own pitfalls).
Out of curiosity, how can I check which certificate it was issued against?
And also, what is the use of intermediate and root certificates then?
Out of curiosity, how can I check which certificate it was issued against?
And also, what is the use of intermediate and root certificates then?
-
- Posts: 2804
- Joined: Tue Apr 15, 2014 9:11 pm
- Location: Germany
Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"
The leaf certificate is immediately used for decryption. The intermediate and root certificates are only used to trace/reference the leaf certificate towards an authorization entity. They can be used to identify a leaf certificate to be trusted, but they are not involved in the actual process of decryption.
- Carsten
- Carsten
-
- Posts: 45
- Joined: Thu Feb 16, 2017 11:07 am
Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"
Indeed. But tracing the leaf certificate to a authorization entity only traces it to a self-signed certificate that is unique to my install (I can see why that is due to DOM being open source).
Anyway, they issued the DKDM against my root certificate. Inside the DKMD, there was a line identifying it:
Also, when one exports the certificates from DOM one by one and then unpacks them with:
one can see the fields to trace what was signed by what and the line gives away if the certificate in question is roo, intermediate or leaf.
So I will ask them to send me a new DKDM.
Anyway, they issued the DKDM against my root certificate. Inside the DKMD, there was a line identifying it:
Code: Select all
<ds:X509IssuerName>dnQualifier=sP5klKED5qrR3lni5Himr02XoFw=,CN=.dcpomatic.smpte-430-2.ROOT,OU=dcpomatic.com,O=dcpomatic.com</ds:X509IssuerName>
Code: Select all
openssl x509 -in certificate.pem -text -noout >certificate.txt
Code: Select all
X509v3 Subject Key Identifier
X509v3 Subject Authority Identifier:
Code: Select all
Subject:
So I will ask them to send me a new DKDM.
-
- Posts: 2804
- Joined: Tue Apr 15, 2014 9:11 pm
- Location: Germany
Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"
In general, it is safer to only supply the leaf certificate (also for projection equipment). If they need the full chain, they will usually request it specifically, or, they have means to inquire it from the equipment manufacturer from their TDL databases.
- Carsten
- Carsten
-
- Posts: 45
- Joined: Thu Feb 16, 2017 11:07 am
Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"
Yes, I have seen this advice on the forum after searching it fairly frequently. Unfortunately, I only did that search now, before I read only one thread where they specifically asked for the whole thing. Well, at least now I know something about certificates:-).