Cryptographically prove your content is real, and that it came from you
C2PA and CAWG: the open standards for content authenticity
C2PA Certificate
Signs the C2PA content manifest, proves the credential hasn't been tampered with since it was attached
CAWG Certificate
Embeds verified organizational or individual identity into the C2PA manifest, proves the named entity created or endorses the content
Content Credentials use the C2PA standard and CAWG Certificates to embed tamper-evident provenance information directly into media files, photos, videos, audio, and documents. Two certificate types work together: C2PA Certificates sign the content credential itself, and CAWG Certificates bind your verified organizational or personal identity to that credential.
C2PA (Coalition for Content Provenance and Authenticity) is the technical standard for attaching cryptographically signed provenance information to media content. A C2PA manifest travels with the content file and records: who created it, when, with what tool, and whether it’s been modified since, all protected by a digital signature.
CAWG (Content Authenticity Working Group) extends C2PA with a specific mechanism for embedding verified organizational or individual identity, going beyond software tool attribution to assert who (as a legal entity) stands behind the content. Both standards are backed by Adobe, Google, Microsoft, Intel, BBC, Reuters, the New York Times, and many others.
New: C2PA Free Tier. Since May 2026, SSL.com offers a free tier for C2PA platform certificates: one Level 1 C2PA Claim Signing Certificate (valid 1 year) plus 10,000 trusted timestamps per year, issued via the SSL.com portal. Premium customers can buy Level 1 and Level 2 certificates as needed, with free re-issuance and bulk timestamp rates.
Apply for the C2PA Free TierC2PA Certificate vs CAWG Certificate
Level 1 and Level 2 C2PA Claim Signing Certificates
| Level | Description | Availability |
|---|---|---|
| Level 1 (software-based) | Manifests generated correctly and claims signed with valid certificates, with keys protected by standard software security practices. Typical for editing tools, cloud services, and software pipelines. | Free Tier (1 certificate / year) and Premium |
| Level 2 (hardware-backed) | Keys stored in secure hardware with a hardware root of trust and device/application attestation. Typical for cameras, smartphones, and trusted capture devices. | Premium only |
A complete content credential
└── C2PA Manifest (signed by C2PA Certificate)
├── Creation metadata (tool, timestamp, location)
├── Edit history (what was changed, when)
├── CAWG Certificate (verified creator/org identity)
└── AI disclosure (if AI-assisted or generated)
A viewer or platform that supports C2PA (Adobe Photoshop, Leica cameras, the Content Credentials verify tool, and growing platform support) can inspect this manifest: seeing a verified chain of custody from creation through any edits, with the creating organization’s identity confirmed by SSL.
Who needs content credentials?
News agencies & wire services
Sign photographs and video at point of capture: downstream publishers and platforms can verify provenance.
Broadcasters & publishers
Authenticate editorial content, distinguish human-created from AI-assisted content.
Individual journalists & photographers
Assert verified personal attribution: protect work from decontextualized re-sharing.
Brands & advertisers
Prove campaign creative is genuine, unaltered, and from the authorized brand.
AI content platforms
Disclose AI generation in a standardized, machine-readable way that complies with emerging regulations.
Camera manufacturers & capture tools
Embed C2PA credentials at the device level: provenance from the moment of capture.
Why SSL
Authorized C2PA certificate issuer
SSL is an authorized CA for C2PA certificate issuance, recognized by the C2PA specification.
CAWG Certificate issuer
CAI / C2PA ecosystem member
WebTrust audited (BDO)
In operation since 2002
C2PA Trust List CA
C2PA-compliant TSA operator
Frequently asked questions
Content Credentials are cryptographically signed provenance data attached to an image, video, audio file, or document, recording who created it, when, with what tools, and whether it has been altered since. They give audiences a verifiable way to tell authentic content from AI-generated or manipulated media.
A C2PA Certificate signs the content manifest, proving the credential is authentic and unaltered. A CAWG Certificate embeds a verified organizational or individual identity inside that manifest, asserting who created the content. They work together: the CAWG assertion lives inside a C2PA-signed manifest.
Yes. Since May 2026 the C2PA Free Tier includes one Level 1 Claim Signing Certificate (valid 1 year) plus 10,000 trusted timestamps per year, issued via the SSL.com portal. Premium adds Level 1 and Level 2 certificates as needed, free re-issuance, and bulk timestamp rates.
Level 1 is software-based: manifests are signed with valid certificates whose keys are protected by standard software security, typical for editing tools and cloud services. Level 2 is hardware-backed: keys live in secure hardware with a hardware root of trust and device attestation, typical for cameras and capture devices. Level 1 is available on the Free Tier and Premium; Level 2 is Premium only.
Adobe Photoshop, Lightroom, and Firefly embed C2PA Content Credentials natively, and the open-source c2patool signs and verifies manifests in any workflow. Cameras such as Leica and Sony can capture with embedded credentials, and platforms including LinkedIn and Google are rolling out credential display. Anyone can verify content at verify.contentauthenticity.org.
Without a trusted timestamp, a manifest stops being valid once the signing certificate expires or is revoked. A timestamp from SSL.com’s RFC 3161 Time Stamping Authority lets a validator confirm the claim was signed while the credential was valid, so the manifest can be validated indefinitely.
Yes. SSL.com issues both C2PA certificates and CAWG certificates under its publicly trusted, WebTrust-audited PKI, with its roots included in the C2PA Trust List, and participates in the Content Authenticity Initiative (CAI) and the C2PA working group.
