Tauth

Appearance

PKI Hierarchy

Tauth uses a three-tier X.509 PKI hierarchy. All private keys are stored in Azure Key Vault and never exported.

Certificate hierarchy 

┌─────────────────────────────────────────────────────┐
│  Root CA                                            │
│  Subject: CN=Tauth C2PA Root CA                    │
│  Key:     tauth-root-ca-key (Azure KV, ES384)       │
│  Cert:    tauth/tauth-c2pa-root.pem                 │
│  CRL:     http://crl.tauth.io/sub-ca.crl            │
└──────────────────┬──────────────────────────────────┘
                   │  issues
┌──────────────────▼──────────────────────────────────┐
│  Sub-CA                                             │
│  Subject: CN=Tauth C2PA Sub CA                     │
│  Key:     tauth-sub-ca-key (Azure KV, ES384)        │
│  Cert:    pki/tauth-sub-ca.pem                      │
│  CRL:     http://crl.tauth.io/leaf.crl              │
└──────────────────┬──────────────────────────────────┘
                   │  issues
┌──────────────────▼──────────────────────────────────┐
│  Leaf cert                                          │
│  Key:     leaf-test (Azure KV, ES384)               │
│  Usage:   Signs C2PA manifests in media files       │
└─────────────────────────────────────────────────────┘

CRL distribution

Certificate Revocation Lists are generated by pki/generate_crl.py and served by nginx:

CRLIssuerURL
leaf.crlSub-CAhttp://crl.tauth.io/leaf.crl
sub-ca.crlRoot CAhttp://crl.tauth.io/sub-ca.crl

Regenerate CRLs (validity: 7 days):

bash
cd /home/ubuntu/p
source env/bin/activate
python pki/generate_crl.py

Set up a cron job to run this weekly before nextUpdate expires.

OCSP

Real-time certificate status is available via OCSP at http://ocsp.tauth.io.

The responder (ocsp/responder.py) is a FastAPI app running on port 8080, proxied by nginx. It:

  1. Parses the DER-encoded OCSP request.
  2. Identifies the issuer by matching issuerKeyHash.
  3. Signs an OCSPCertStatus.GOOD response using the appropriate Azure KV key.

To check a certificate's status manually:

bash
openssl ocsp \
  -issuer pki/tauth-sub-ca.pem \
  -cert your-leaf.pem \
  -url http://ocsp.tauth.io \
  -resp_text

Adding a new leaf key

  1. Create the key in Azure Key Vault (EC, P-384).
  2. Generate a CSR locally and sign it with the Sub-CA key via Key Vault.
  3. Update LEAF_KEY_NAME in .env.
  4. Restart the backend: sudo systemctl restart tauth-api.

Built on C2PA · Secured by Azure Key Vault · Anchored on Ethereum

© 2026 Tauth