Skip to main content

Authenticate with CSC

Authenticate the client with CSC before signing content to ensure that only authorized users can sign documents or manifests.

Required inputs

  • Client certificate (cert.pem) – Identifies the client. 

  • Private key (key.pem) – Private key for the certificate.

  • PIN – Secret PIN associated with your CSC credential.

Process

CSC validates the certificate and private key, then checks the PIN. Signing is allowed only after successful validation.

Outputs

  • creds_info – Dictionary containing raw credential details returned by CSC.

  • author_name – Name extracted from the certificate (Common Name / CN).

  • author_email – Email returned by CSC (This might remain empty in demo environment).

Python example

#This Python script authenticates the user with CSC demo API using a client certificate, #...private key, and PIN, and returns raw credential information along with the author #...name extracted from the certificate and the author email (if available). 

import base64  
import json  
import requests  
import logging  
from cryptography 
import x509  
from cryptography.x509.oid 
import NameOID  
import getpass  

# Configure logging  logging.basicConfig(level=logging.INFO)    
# CSC demo endpoint and certificate/key files  
CSC_BASE_URL = "https://clientauth.demo.one.digicert.com/documentmanager/csc/v1"  
CLIENT_CERT = "cert.pem"  CLIENT_KEY = "key.pem"  
CREDENTIAL_ID = "basic_np-14-08-2025-11-01-44-165" # Replace with your credential ID  

def extract_author_from_cert(cert_b64: str) -> str | None:      
"""      
Extracts the Common Name (CN) from a base64 DER certificate string.      
"""      
try:          
cert_der = base64.b64decode(cert_b64)          
cert = x509.load_der_x509_certificate(cert_der)          
cn_attr = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)          
if cn_attr:              
return cn_attr[0].value      
except Exception as e:          
logging.error("Failed to extract CN from certificate", exc_info=e)      
return None  

def get_credentials_info(pin: str):      
"""      
Authenticate with CSC using certificate, key, and PIN.      
Returns raw credentals, author name, and author email (if any).      
"""      
try:          
logging.info("📡 Requesting credentials info from CSC...")          
payload = {"PIN": pin, "credentialID": CREDENTIAL_ID}          
url = f"{CSC_BASE_URL}/credentials/info"          
resp = requests.post(              
url,              
json=payload,              
cert=(CLIENT_CERT, CLIENT_KEY),              
headers={"Content-Type": "application/json"},              
timeout=10          
)          
resp.raise_for_status()          
data = resp.json() 

# Extract author name from certificate CN          
certs = data.get("cert", {}).get("certificates", [])          
author_name = extract_author_from_cert(certs[0]) if certs else None          
author_email = ""  # Demo API usually returns empty            
logging.info("✅ Authentication successful!")          
return data, author_name, author_email        

except Exception as e:          
logging.error("❌ Authentication failed", exc_info=e)          
return {}, None, ""  
  
if __name__ == "__main__":      
pin = getpass.getpass("Enter your credential PIN: ").strip()      
creds_info, author_name, author_email = get_credentials_info(pin)        

print("\nRaw credential info (creds_info):")      
print(json.dumps(creds_info, indent=4))      
print(f"\nAuthor Name (from certificate CN): {author_name}")      
print(f"Author Email (from API, usually empty in demo): {author_email}")     
In this section: