Skip to content

License Management

This guide is for administrators who need to generate and manage license keys for Certum Draft users.

Overview

Certum Draft uses cryptographic license keys to control access. Each key is digitally signed, making them impossible to forge without the private key.

Key Components:

  • Private Key — Used to sign (create) licenses. Keep this secret.
  • Public Key — Embedded in the app to verify licenses. Safe to distribute.
  • License Keys — Given to users to activate the app.

Setting Up License Generation

The License Generator is a GUI app for creating and managing licenses.

  1. Build the generator: 

    cd LicenseGenerator
swift build

  2. Run the app: 

    .build/debug/LicenseGenerator

  3. Generate a key pair (first time only):

  4. Go to the Key Management tab
  5. Click Generate New Key Pair
  6. The private key is stored securely in your macOS Keychain

  7. Copy the public key — you'll need it for the app

  8. Configure the app:

  9. Open Clarity2/Services/License/LicenseManager.swift
  10. Replace REPLACE_WITH_YOUR_PUBLIC_KEY with your public key
  11. Rebuild Certum Draft

Option 2: Command Line (Python)

For scripting or automation:

  1. Install dependencies: 

    pip3 install cryptography

  2. Generate a key pair: 

    python3 scripts/generate-license.py --generate-keys
    This outputs both keys. Save the private key securely.

  3. Set up your private key: 

    export CERTUM_PRIVATE_KEY="your-private-key-here"
    Or save to a file: 
    echo "your-private-key" > ~/.certum-private-key
chmod 600 ~/.certum-private-key

Generating License Keys

Using the GUI

  1. Open the License Generator app
  2. Go to the Generate tab
  3. Either:
  4. Enter an email and click Generate (creates a deterministic key for that email)
  5. Set a count and click Generate X Keys (creates random keys)
  6. Copy keys using the copy button or Copy All

Using the Command Line

# Generate a random key
python3 scripts/generate-license.py

# Generate for a specific user
python3 scripts/generate-license.py --email [email protected]

# Generate multiple keys
python3 scripts/generate-license.py --count 10

License Key Format

Keys look like this: 

CERTUM-ABCD-EFGH-JKLM-MEUCIQCz...signature...

  • CERTUM — Prefix identifying the product
  • XXXX-XXXX-XXXX — Random or email-seeded segments
  • Final segment — Base64-encoded ECDSA signature

The signature makes each key unique and unforgeable.

Distributing Keys

When giving a key to a user:

  1. Send the complete key — including the long signature portion
  2. Recommend copy/paste — keys are too long to type accurately
  3. One key per user — for tracking purposes, generate unique keys per user

Example email: 

Subject: Your Certum Draft License

Here is your license key for Certum Draft:

CERTUM-ABCD-EFGH-JKLM-MEUCIQCz...

To activate:
1. Open Certum Draft
2. Paste this key when prompted
3. Click Activate

Keep this email for your records.

Validating Keys

To check if a key is valid:

GUI: Use the Validate tab in License Generator.

Command Line: 

python3 scripts/generate-license.py \
  --validate "CERTUM-XXXX-XXXX-XXXX-signature" \
  --public-key "your-public-key"

Security Best Practices

Protecting the Private Key

  • Never commit the private key to version control
  • Store it in macOS Keychain (the GUI does this automatically)
  • If using the command line, use environment variables or chmod 600 files
  • Only the license administrator should have access

If the Private Key is Compromised

  1. Generate a new key pair
  2. Update the public key in LicenseManager.swift
  3. Rebuild and redistribute Certum Draft
  4. Issue new licenses to all users

Note: Old licenses will stop working after the app is updated.

Revoking Access

Currently, individual licenses cannot be revoked without changing the key pair. For stricter control, consider:

  • Generating a new key pair periodically
  • Keeping records of issued licenses
  • Only distributing keys to authorized users

Backup and Recovery

Backing Up the Private Key

If using the GUI, the key is in macOS Keychain under: - Service: com.certum-draft.license-generator - Account: ecdsa-private-key

To export (if needed), use Keychain Access or generate a new pair.

Key Loss

If you lose the private key: 1. Generate a new key pair 2. Update the app with the new public key 3. Reissue all licenses

There is no way to recover a lost private key.

Troubleshooting

"No private key found"

The License Generator can't find a stored key.

Solution: Go to Key Management and generate a new key pair.

Keys not validating in app

The public key in the app doesn't match the private key used to sign.

Solution: Ensure the public key in LicenseManager.swift matches your key pair.

Keychain access denied

macOS is blocking access to the stored key.

Solution: 1. Open Keychain Access 2. Find the com.certum-draft.license-generator entry 3. Check access permissions