FAQs: Certificates

The content decryption context menu is only available in the

  • easyDCP Creator+
  • easyDCP Player+
  • easyDCP KDM Generator+

The option

(File ->) Content Decryption -> Export Public Server Certificate

will copy both the public leaf certificate (easydcpcreator_.cert.sha256.crt) and the signature chain (easydcpcreator _.chain.sha256.pem) to the selected folder. The signature chain contains the leaf certificate as well as intermediate certificates and the root certificate. You may safely distribute these certificates to content providers who want to issue a Distribution KDM to your easyDCP + installation.

When issuing (D)KDMs with easyDCP KDM Generator+, place only the leaf certificate file (*.crt) into the server certificate’s folder or just drag and drop it into the corresponding input form.

HINT: Every easyDCP Application uses different Server Certificates. KDMs issued for one easyDCP application cannot be used in any other easyDCP application.  

One easyDCP software license can be installed only on one computer system.

However, if you need to move the easyDCP license to another computer or operating system you can do this easily using Migration function in the web shop:

  1. Login in your account at www.easyDCP.com
  2. Select license status
  3. Select the product you need to migrate
  4. Select: "migrate license"

easyDCP Resolve Plug-In customers can get additional important informations for migration here

After the migration is complete you can generate a new license for the new ware system. Please refer to the following FAQ on how to activate your product.

Note:

  • There is a limit of one automatic migration in six months. If you require a second migration within the six months period, please inform us via email why it´s necassary.
  • Since server certificates are tied to the system hash, they become inaccessible after a migration. New certificates will be automatically created, but all KDMs issued to the old cerificates will no longer be accessible. Please check our FAQ: Server- and Signer- Certificates.

Migration with older Versions: For version easyDCP Creator(+)2.1.X and older, easyDCP Player(+)1.9.X and older, and easyDCP KDM Generator(+)1.47 and older, be prepared to use the new hashcode of your target hardware/software.

Different versions of easyDCP can be installed side-by-side

However be aware that the all share the same user application data folder, where state settings, KDMs, server and signer certificate and license are stored.  

easyDCP Creator(+) from 2.2.X, easyDCP Player(+) from 2.0.X and easyDCP KDM Generator(+) from 1.4.1X and above can be directly activated from within the application.

Please watch our video tutorial or proceed as follows:

  1. Download and install the latest installer from your account at www.easyDCP.com license status.
  2. Select in the installed easyDCP application at "Help" the function "Request License & Certificate" (or use F3) 
  3. Fill out the form according to the instructions displayed and select "Send request"
  4. Your license-and-certificate-request will be processed after you log in. 
  5. Then you can download your "License & Certificate" Data Set in the license status pane and install them via Drag and Drop into your easyDCP application.
    Alternatively, you may store the license-and-certificate file (*.easydcp) to a disk and import it into the corresponding easyDCP application using "?">"Import License & Certificates" (or press F4). 

 

Note: This way of activating your easyDCP Product is only available from easyDCP Creator(+) 2.2.X, easyDCP Player(+) 2.0.X and easyDCP KDM Generator(+) 1.4.1X or higher.

  • If you use an another easyDCP version, you find help here.
  • If you use an easyDCP Resolve Plugin version, you find help here.
  • If you use an easyDCP SAM Rio Plugin version, you find help here.

DKDMs are used for the exchange of encrypted DCPs between postproduction houses. Processing DKDMs needs the same operation and security requirements that are used in the creation and operation of KDMs for the digital cinema.
easyDCP Creator+ enables to encrypt digital cinema content and the standard accessory easyDCP KDM Generator generates KDMs and DKDMs for the transfer of digital cinema content to postproduction houses or cinemas.

For further information please refer to:

For automatic generating and distribution of KDMs the online service KDM Studio is available at www.dcptools.com. 
KDM Studio is developed by the DCPtools Team based on easyDCP KDM Gnerator+.

Print this page as document

Recommendation: security backup for (D)KDMs

Affects all Users of easyDCP KDM Generator+

 

This page contains:

1 Licenses and Certificates

2 Threat of loss of all (D)KDMs caused by hardware change / fault

3 Create a Backup machine using a Complimentary License

4 Workflow Description

4.1 Standard (D)KDM Generation Process

4.2 Recommended Workflow utilizing a Backup Unit (BU)

4.3 Using the Backup Unit to recover (D)KDMs

5 How to activate your complementary license for easyDCP KDM Generator+ Backup

 

1 Licenses and Certificates

In order to run properly, each installation of easyDCP KDM Generator+ needs three different sets of files issued separately for each installation:

  1. License – enables all commercial features
  2. Signer Certificates – required to digitally sign (D)KDMs issued with the software
  3. Server Certificates – An identification of the particular hardware easyDCP KDM Generator+ is installed on. (D)KDMs are issued for certain Server Certificates

During the activation process all of those files are generated using appropriate functions in the easyDCP web shop at http://www.easyDCP.com. Licenses and Server Certificates are bound to the particular hardware easyDCP KDM Generator+ is running on. Signer certificates are not tied to the hardware.

 

2 Threat of loss of all (D)KDMs caused by hardware change / fault

Important: If some hardware components in the production machine are changed or the machine stops operating at all, the license and server certificates will not work anymore. Using the migration function in the easyDCP web shop, a license can be ported to another machine. However, a server certificate cannot be used on another hardware. Likewise, it is not possible to re-use the certificates if certain hardware components get replaced on the system. And once the server certificates cannot be used anymore.

ALL (D)KDMs ISSUED FOR THESE SERVER CERTIFICATES ARE LOST AND CANNOT BE RECOVERED.

 

3 Create a Backup machine using a Complimentary License

We recommend our easyDCP KDM Generator+ customers to set-up a second computer serving as backup machine for their (D)KDMs. If used properly, existing (D)KDMs can be recovered and ported to a fresh installation, in case the production machine is not working anymore. The set-up is simple and your existing (D)KDM workflow requires only small changes.

  1. Every easyDCP KDM Generator+ client gets a complimentary license for a second installation of the software (called the Backup Unit - BU)
  2. From now on, we recommend to issue a backup DKDM for the Backup Unit once you receive a (D)KDM for your production system. For this, it is important that the Backup Unit must be installed on another physical hardware.
  3. Once the production machine stops working for some reason, all (D)KDMs can be recovered using the Backup Unit.

NOTE: You can use your existing easyDCP KDM Generator+ instance to issue backup-(D)KDMs of your existing (D)KDMs for your new backup easyDCP KDM Generator+ instance. This is a one-time-only job and should be performed as soon as possible.

 

4 Workflow Description

This chapter gives an overview over the recommended workflow when using two instances of easyDCP KDM Generator+ in parallel.

Figure 1 shows a block diagram comprising two activated instances of the software, both identified by their Server Certificate. As mentioned above, the Server Certificate is bound to a specific hardware and installation of the operating system and cannot be used on another installation.

Figure 1: Two activated instances of easyDCP KDM Generator+ running on different hardware

 

4.1 Standard (D)KDM Generation Process

Figure 2 shows one of the common applications using easyDCP KDM Generator+. Here, the Main Unit (MU) receives certain input data:

  1. A (D)KDM or easyDCP Digest from either the previous DCP compiling step or from another facility (step 1). An input (D)KDM can only be processed if it has been issued to the Server Certificate of the MU (compare Figure 1).
  2. Certificates from various Cinema Servers that serve to identify the output (D)KDM’s recipients (step 2).

Figure 2: Standard KDM generation process using one installation of easyDCP KDM Generator+

As result easyDCP KDM Generator+ generates a batch of KDMs for the selected Cinema Servers (step 3).

 

4.2 Recommended Workflow utilizing a Backup Unit (BU)

Based on the workflow described above, we recommend generating a Backup DKDM for the Backup Unit (BU) shown in Figure 1 whenever a new key is used as input format (step 1). Basically, the processing-steps are identical to the description given in 4.1, but instead of only ingesting certificates from the Cinema Servers we also point our Main Unit of easyDCP KDM Generator+ to the Server Certificate of our Backup Unit (Figure 3, step 2). By doing this, easyDCP KDM Generator+ issues a Backup DKDM that can be read from the Backup Unit later. In case the MU is not available anymore, the Backup KDM can be used to recover the original keys that were used to encrypt the DCP.

Figure 3: KDM Generation Process using the Backup Unit (BU)

 

4.3 Using the Backup Unit to recover (D)KDMs

In case of a hardware crash or when the system components used to assemble the Main Unit’s system hash change, it is possible that the Server Certificates of the Main Unit cannot be accessed anymore. In this case it is possible to move the main unit onto a new hardware or issue a new set of license and certificates for the new configuration of the main unit. In any case, the previous Main Unit’s Server Certificates must be replaced. Through the easyDCP-web shop it is possible to get new licenses and certificates on the fly. Indeed, none of the old (D)KDMs of the former Main Unit (MU) will work with the new installation, called New Main Unit (NMU) here, since the new Main Unit is identified by a new Server Certificate. In order to get (D)KDMs working on the NMU it is necessary to use the BU as shown in Figure 4. Please note that the BU of KDM Generator+ is used instead of the MU.

Figure 4: Issuing DKDMs for the New Main Unit (NMU) using the Backup Unit (BU)

By ingesting both, all Backup-KDMs (1) as well as the Server Certificate from the New Main Unit (NMU – step 2) new DKDMs for the New Main Unit are generated.

 

5 How to activate a complementary license of easyDCP KDM Generator+ Backup

Step 1. Download the easyDCP KDM Generator+ Installer for your target OS from your license status again and install it.

Step 2. Request a license and certificate and send it as usual to www.easyDCP.com (see also:How do I activate my easyDCP Product?.) 

Step 3. www.easydcp.com will offer you: "Activate your complementary license". Select it for activation.

Now your license status shows a new entry called: "easyDCP KDM Generator+ Backup"

Step 4: Download the license and certificate data set and import it into your easyDCP KDM Generator+ Backup system. 

NOTE: The complementary license is locked for migration. If you need to migrate your easyDCP KDM Generator+ Backup system please contact us at info@easyDCP.com

 

 

easyDCP applications require different kinds of certificates

Server Certificates:

Is required to be able to receive KDMs. If a partner wants to send you an encrypted DCP, they will need your public server certificate so that they can issue a DKDM for. 

Signer Certificate:

Will be used to digitally sign content of encrypted DCPs or KDMs. Generally, all DCPs should be digitally signed to ensure that they will be ingested without any problems into a digital cinema server. Only for unencryted DCPs with Interop conformity, a signature is optional.

 

Which easyDCP application needs which certificates?

Application

Signer Certificate

Server Certificate

easyDCP Creator

-

-

easyDCP Creator+

X

X

easyDCP KDM Generator

X

-

easyDCP KDM Generator+

X

X

easyDCP Player

-

-

easyDCP Player+

-

X

easyDCP JPEG2000 Transcoder

-

-

 

How you get your Signer- and Server- certificate?

From easyDCP Player 2.0.X, easyDCP Creator 2.2.X and easyDCP KDM Generator 1.4.15 

During „License & Certificate Request“ and activation via webshop www.easydcp.com Signer- and Server Certificates will be provided in "License & Certificate".

What kind of certificate are required, if at all, depends on the easyDCP application.

Older easyDCP versions

Please use license status on www.easydcp.com: New server certificate/manage certificate

 

How I can access to my previous Signer- and Server Certificates?

Please use license status on www.easydcp.com: Manage certificates
This option is available for customers with valid service extension

Comments:

  • If you update to a newer easyDCP version, previous certificates should be maintained. When filling in a new license & certificate request, you will be prompted to enter the password that protects your current certificate. If the password can be verified, the new request will contain information, that you don´t need a new certificate.
  • Server certificates are bound to the hardware via the system hash. If you migrate to another system, you always need new server certificates.
  • Signer certificates are bound to a person rather than to a system.  However, each " License and Certificate set" contains a new signer certificate for technical reasons.

Please note: Every "Certificate Request" will be secured with a password specified by you.

You select the password when you fill in the request and will be prompted to enter it again, whey you import the License & Certificate Set and whenever a KDM is accessed. 

The password cannot be recovered!

 

The procedure is different in every country. We can't send you the certificates.

  • The best way is to ask the cinema owners directly. They should have current certificates of their projection systems in their screening rooms or tell you the model and serial number.
  • Another idea is to contact the server vendors directly.
  • If you have the model and serial number, you can contact the manufacturer and ask for access to their database.

Usually, on the cinema server manufacturers' FTP servers you can find both the public server certificates and the signature chain that were used to sign the certificates.

If you decide to trust the certificate by examining the signature chain, you only need the server certificate to create a KDM. The server certificate usually has either a *.pem or a *.crt suffix.

easyDCP KDM Generator will accept either, but do not use both.

Furthermore, there may be pairs of certificate and chain that state "mpeg", "sha1" and "sha256".
Like with DCPs, there are SMPTE ("sha256") and Interop ("sha1" / "mpeg") KDMs.

Almost all modern cinema servers prefer SMPTE KDMs - even for Interop DCPs. So mostly the "sha256" version is used.

Only if you surely know your recipient only accepts Interop KDMs, use the "sha1" certificate and remember to check the "Enable Interop mode" option in the easyDCP KDM Generator's options tab.

Please see also: Where can I get the server certificates needed to create the KDMs?