# Creating and using an X.509 certificate

The c2patool uses some custom properties in the manifest definition file for signing:

- `private_key`: Path to the private key file.
- `sign_cert`: Path to the signing certificate file.
- `alg`: Algorithm to use, if not the default ES256.

Both the private key and signing certificate must be in PEM (privacy-enhanced mail) format. The signing certificate must contain a PEM certificate chain starting with the end-entity certificate used to sign the claim ending with the intermediate certificate before the root CA certificate. 

If the manifest definition file doesn't include the `sign_cert` and `private_key` properties, c2patool uses a built-in certificate and private key.  An example certifcate and private key file are also provided in the [c2patool repo sample folder](https://github.com/contentauth/c2patool/tree/main/sample). 

If you are using a signing algorithm other than the default `es256`, specify it in the manifest definition field `alg` with one of the following values:

- `ps256`
- `ps384`
- `ps512`
- `es256`
- `es384`
- `es512`
- `ed25519`

The specified algorithm must be compatible with the values of private key and signing certificate.  For more information, see [Signing manfiests](https://opensource.contentauthenticity.org/docs/signing-manifests).

Instead of specifying the values in manifest definition file properties, you can put the values of the key and cert chain in two environment variables: `C2PA_PRIVATE_KEY` for the private key and `C2PA_SIGN_CERT` for the public certificates. For example, to sign with ES256 signatures using the content of a private key file and certificate file:

```shell
set C2PA_PRIVATE_KEY=$(cat my_es256_private_key)
set C2PA_SIGN_CERT=$(cat my_es256_certs)
```