C2PA Certificates
Sign content credentials that travel with every photo, video, and document you publish
What is a C2PA Certificate?
A C2PA (Coalition for Content Provenance and Authenticity) Certificate is a digital certificate used to sign a C2PA manifest, the structured provenance record embedded in a media file. The certificate proves that the manifest was created by the named entity and hasn't been tampered with since signing.
When a platform, viewer, or tool inspects a content credential, it validates the C2PA certificate signature, confirming the credential is authentic and unaltered.
A C2PA Certificate lets you attach a cryptographically signed provenance record, a “content credential”, to any media file. Anyone who receives the file can verify its origin, check whether it’s been altered, and see an auditable chain of custody from creation to distribution. Built on the open C2PA standard, backed by Adobe, Google, Microsoft, BBC, Reuters, and the Content Authenticity Initiative.
Start Free
Assurance levels & tiers
| Level | What it means | Typical use |
|---|---|---|
| Level 1 (software-based) | Manifests generated correctly and signed with valid certificates; keys protected by standard software security practices | Editing tools, cloud services, software pipelines |
| Level 2 (hardware-backed) | Keys in secure hardware with a hardware root of trust and device/application attestation, verified by the CA during enrollment | Cameras, smartphones, trusted capture devices |
| Feature | Free Tier | Premium Tier |
|---|---|---|
| Level 1 Claim Signing Certificate | 1 certificate, valid 1 year | As many as needed |
| Free re-issuance | No | Yes |
| Timestamps for long-term validation | 10,000 / year included; on-demand for more | Bulk rate, buy as needed |
| Level 2 (hardware-backed) certificates | No | Yes, including device certificates |
| Issuance via SSL portal | Yes | Yes |
| Conformance program support & enterprise services | No | Included / available |
C2PA assurance levels describe how much confidence can be placed in the system that generated and signed the Content Credentials. Choose the level and tier that fit your workflow. The Free Tier requires a valid C2PA conformance record ID at application; Premium is the path if you need Level 2, device certificates, conformance program support, or C2PA advisory.
Key benefits
Provenance from creation
Attach a signed credential at the moment of capture or creation, establishing an unbroken chain of custody.
Tamper detection
Any modification to the file after credentialing breaks the manifest signature, detectable by any C2PA-aware viewer.
Long-term validity
Pair with trusted timestamps from SSL's TSA so manifests stay valid even after the signing certificate expires or is revoked.
AI disclosure
Disclose AI generation or AI assistance in a standardized, machine-readable format, meets EU AI Act and emerging platform requirements.
Open standard
C2PA is supported by Adobe, Google, Microsoft, Intel, BBC, Reuters, Nikon, Leica, and hundreds of other Content Authenticity Initiative members.
Verifiable anywhere
Content credentials can be verified at verify.contentauthenticity.org and in C2PA-aware tools, no proprietary verification system required.
Issued by a Trust List CA
SSL is an authorized C2PA certificate issuer whose roots are in the C2PA Trust List, so credentials signed with SSL certificates are recognized across the C2PA ecosystem.
Who is it for?
News agencies & wire services
Sign photographs and video at point of capture, downstream publishers and platforms can verify provenance.
Broadcasters & publishers
Photographers & videographers
Brands & advertising agencies
AI content platforms
Camera & capture tool manufacturers
Request C2PA Certificate access
Contact our C2PA solution architects to design a customized implementation. Our team will confirm your organization’s eligibility, validation requirements, and integration options for embedding C2PA signing into your publishing or capture workflow.
How it works
Compatibility
Photoshop, Lightroom, Premiere
Native C2PA signing support: sign credentials at export across the Creative Cloud suite
c2patool CLI
Open-source command-line tool for signing and verifying C2PA manifests in any workflow
Digital cameras
Hardware-level C2PA signing at point of capture: provenance from the moment of creation
Content Credentials verify
verify.contentauthenticity.org: publicly available verification for any C2PA-credentialed content
LinkedIn, Google Search & more
Growing platform support: major platforms implementing C2PA credential display
Compliance & standards
C2PA Specification (v2.x)
SSL issues certificates per the C2PA specification, credentials signed with SSL certificates are recognized across the ecosystem.
C2PA Trust List
RFC 3161 (Time Stamping)
EU AI Act
Requires disclosure of AI-generated content, C2PA manifests provide a standardized, machine-readable disclosure mechanism.
Content Authenticity Initiative (CAI)
SSL is a CAI member, C2PA certificates issued by SSL are part of the CAI trust framework.
Frequently asked questions
A C2PA Certificate signs the content manifest, proving it's authentic and unaltered. A CAWG Identity Assertion embeds your verified organizational or personal identity inside the manifest. They complement each other: use both for maximum attribution and trust.
Yes, you can sign existing content with a C2PA manifest. However, provenance established at the point of creation is more authoritative than retroactive signing. Best practice is to sign at capture or creation.
C2PA supports JPEG, PNG, TIFF, WebP, MP4, MOV, MP3, WAV, HEIC, PDF, and others. Support is expanding as the standard matures.
Recipients can verify content at verify.contentauthenticity.org without any special software. C2PA-aware tools (Adobe apps, certain browsers) display credentials inline.
A C2PA certificate is a signing credential used to create content credentials, cryptographic provenance assertions embedded directly into image, video, audio, and document files. The certificate binds the creator's verified identity to the content, records the tools and edits involved in its creation, and flags AI involvement if applicable. Any C2PA-supporting viewer or platform can verify the credential and display the provenance information to the audience.
When a C2PA-signed asset is modified after signing, the cryptographic hash embedded in the C2PA manifest no longer matches the file's current state. This mismatch is detectable by any C2PA-compliant viewer, the provenance information is shown as invalid or incomplete, signaling to the viewer that the content has been altered since the original signing.
C2PA is supported by Adobe (Photoshop, Lightroom, Firefly), Microsoft (Bing Image Creator), Google, Leica, Nikon, Sony, the BBC, Reuters, and the Associated Press, among many others. The Content Authenticity Initiative (CAI) maintains a growing list of participating organizations. Browsers and social platforms are implementing C2PA verification as the standard matures.
C2PA is the leading technical mechanism for satisfying the EU AI Act's mandatory disclosure requirements for AI-generated content, which require machine-readable labeling of synthetic media. Organizations deploying AI-assisted content workflows can embed C2PA provenance disclosures at the point of creation, creating an auditable record of AI involvement that regulators and platforms can verify.
Yes. Since June 2026 the SSL C2PA Free Tier includes one Level 1 Claim Signing Certificate (valid 1 year) and 10,000 trusted timestamps per year, issued via the SSL portal. You need to apply with a valid C2PA conformance record ID. If you need Level 2 certificates, device certificates, or conformance support, contact us for our Premium tier.
Without a trusted timestamp, a manifest stops being valid once the signing certificate expires or is revoked. An RFC 3161 timestamp lets validators confirm the claim was signed while the credential was valid, so the manifest can be validated indefinitely. See the Time Stamping Authority product page.
Related products
CAWG Identity Assertions
Add verified organizational or personal identity inside your C2PA manifest, so viewers see who created the content, confirmed by SSL as a trusted CA.
VMC, Verified Mark Certificate
Authenticate your brand in email alongside content distribution, your logo appears in supporting email clients, confirmed by a trusted CA.
Time Stamping Authority (TSA)
Trusted RFC 3161 timestamps (RSA and ECC) for long-term manifest validation, so your C2PA claim signatures stay valid even after the signing certificate expires.
