Skip to main content

Authenticate with CSC

Authenticate the client with CSC before signing content to ensure that only authorized users can sign documents or manifests.

Required inputs

  • Client certificate (cert.pem) – Identifies the client. 

  • Private key (key.pem) – Private key for the certificate.

  • PIN – Secret PIN associated with your CSC credential.

Process

CSC validates the certificate and private key, then checks the PIN. Signing is allowed only after successful validation.

Outputs

  • creds_info – Dictionary containing raw credential details returned by CSC.

  • author_name – Name extracted from the certificate (Common Name / CN).

  • author_email – Email returned by CSC (This might remain empty in demo environment).

Python example

#This Python script authenticates the user with CSC demo API using a client certificate, #...private key, and PIN, and returns raw credential information along with the author #...name extracted from the certificate and the author email (if available). 

import base64  
import json  
import requests  
import logging  
from cryptography 
import x509  
from cryptography.x509.oid 
import NameOID  
import getpass  

# Configure logging  logging.basicConfig(level=logging.INFO)    
# CSC demo endpoint and certificate/key files  
CSC_BASE_URL = "https://clientauth.demo.one.digicert.com/documentmanager/csc/v1"  
CLIENT_CERT = "cert.pem"  CLIENT_KEY = "key.pem"  
CREDENTIAL_ID = "basic_np-14-08-2025-11-01-44-165" # Replace with your credential ID  

def extract_author_from_cert(cert_b64: str) -> str | None:      
    """
    Extracts the Common Name (CN) from a base64 DER certificate string.      
    """      
    try:          
        cert_der = base64.b64decode(cert_b64)          
        cert = x509.load_der_x509_certificate(cert_der)          
        cn_attr = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)          
        if cn_attr:            
          return cn_attr[0].value      
    except Exception as e:         
        logging.error("Failed to extract CN from certificate", exc_info=e)      
    return None   

def get_credentials_info(pin: str):      
    """      
    Authenticate with CSC using certificate, key, and PIN.      
    Returns raw credentals, author name, and author email (if any).      
    """      
    try:          
        logging.info("📡 Requesting credentials info from CSC...")          
        payload = {"PIN": pin, "credentialID": CREDENTIAL_ID}          
        url = f"{CSC_BASE_URL}/credentials/info"          
        resp = requests.post(              
            url,              
            json=payload,              
            cert=(CLIENT_CERT, CLIENT_KEY),              
            headers={"Content-Type": "application/json"},              
            timeout=10          
        )          
        resp.raise_for_status()          
        data = resp.json() 

        # Extract author name from certificate CN          
        certs = data.get("cert", {}).get("certificates", [])          
        author_name = extract_author_from_cert(certs[0]) if certs else None          
        author_email = ""  # Demo API usually returns empty            
        logging.info("✅ Authentication successful!")          
        return data, author_name, author_email        

    except Exception as e:          
        logging.error("❌ Authentication failed", exc_info=e)          
        return {}, None, ""  
  
if __name__ == "__main__":      
    pin = getpass.getpass("Enter your credential PIN: ").strip()      
    creds_info, author_name, author_email = get_credentials_info(pin)        

    print("\nRaw credential info (creds_info):")      
    print(json.dumps(creds_info, indent=4))      
    print(f"\nAuthor Name (from certificate CN): {author_name}")      
    print(f"Author Email (from API, usually empty in demo): {author_email}")     
In this section: