This guide explains how to use the KDM Distribution module in Mnemonica — from registering projector certificates to creating deliveries, managing approvals, and downloading KDM files. Looking for the DKDM management system?
TABLE OF CONTENTS
- What is a KDM?
- Getting Started
- Managing Certificates (Devices Tab)
- Creating a KDM Delivery
- Managing Deliveries (Active Tab)
- Approving and Rejecting Requests
- Viewing Delivery History
- Troubleshooting
- Glossary
What is a KDM?
A Key Delivery Message (KDM) is a cryptographic key that unlocks encrypted cinema content (DCPs) on a specific projector for a defined time window. Without a valid KDM, the projector cannot decrypt or play the content.
Each KDM is tied to three things:
- Content — which film (CPL) to unlock
- Certificate — which projector(s) can play it
- Validity — the time window during which playback is allowed
The KDM module in Mnemonica lets you create, send, approve, and manage KDM deliveries directly from the platform.
Getting Started
Accessing the KDM Module
Go to Mnemonica main dashboard and click on the KDMs button in the bottom navigation bar. The module has three tabs:
| Tab | Purpose |
|---|---|
| Active | Current deliveries (pending, approved) |
| History | Completed and rejected deliveries |
| Devices | Your registered projector certificates |
Your Role Matters
Your role on each project determines what you can do. The role is set per-project, so you may have different permissions on different content.
| Role | Create KDM | Approve/Reject | Download | Delete |
|---|---|---|---|---|
| Manager | Direct creation | Yes | Yes | Yes |
| Power Guest | Requires approval | No | After approval | No |
| Guest | Request only (for self) | No | After approval | No |
Your role is determined per CPL. When creating a KDM, the wizard title changes to reflect your permission level: "Create KDM" for Managers, "Request KDM" for others.
Managing Certificates (Devices Tab)
Before creating a KDM delivery, you need at least one projector certificate registered. Certificates are DCI/SMPTE X.509 files (.pem) that identify cinema projectors.
Viewing Your Certificates
The Devices tab shows all registered certificates with these details:
| Column | Description |
|---|---|
| Name | Human-readable device name you assigned |
| Organization | Certificate organization field |
| DN Qualifier | Unique certificate identifier |
| Status | Green check (valid) or warning (expired) |
| Issuer | Certificate authority chain |
| Validity | Start and end dates of the certificate |
| Added | When you registered this certificate |
Click any row to open the Inspector panel with full certificate details.
Adding a Certificate
Click the + button in the toolbar. Two options are available:
Option A: Upload Certificate
- Click Upload Certificate from the menu
- Enter a Device Name (e.g., "Main Theater Projector")
- Drop a
.pemfile into the upload area, or click to browse - Click Upload
Option B: Browse Platform
Import a certificate already registered on the Mnemonica platform:
- Click Browse Platform from the menu
- Browse or filter the list of available platform certificates
- Click a certificate to select it
- Assign a Device Name for your library
- Click Import
Use Browse Platform when certificates are centrally managed by your organization.
Editing or Removing a Certificate
Click the ... menu on any device row:
- Edit Device — Change the name or replace the certificate file
- Remove Device — Permanently delete from your library
Creating a KDM Delivery
Click the + Create new KDM delivery button on the Active tab to open the wizard. The wizard guides you through six steps.
Step 1: Project
Select the project containing the content you want to unlock. Use the search bar to filter by name. Only projects with encrypted DCPs appear.
Step 2: Content (CPL)
Select a CPL (Composition Playlist) — the specific version of the content. Each CPL may represent a different language, subtitle track, or audio configuration. Each CPL shows metadata tags (resolution, frame rate, audio format, aspect ratio) to help you identify the right version. Only encrypted DCPs with uploaded DKDMs appear here.
Step 3: Certificates
Select which projector(s) should receive this KDM. You can select multiple certificates for a single delivery.
- Your Certificates tab — Lists all registered certificates. Use the filter bar to search by name, organization, or DN qualifier. Check the boxes next to each target projector.
- Upload Certificate tab — Add a new certificate on the fly if the target projector is not yet registered. Enter a device name, drop the
.pemfile, and click Upload.
A summary bar at the bottom shows how many certificates are selected (e.g., "2 certificates selected").
Step 4: Validity
Set the time window during which the KDM allows playback. Use a quick preset or set custom dates manually.
| Preset | Duration |
|---|---|
| 24 Hours | 1 day |
| 1 Week | 7 days |
| 2 Weeks | 14 days |
| 1 Month | ~30 days |
Or set custom dates and times manually using the Valid From and Valid Until date/time pickers.
The KDM will only work during this exact time window. After the "Valid Until" time, the content will no longer be accessible on the target projector(s).
Step 5: Recipient
This step varies by role:
- Managers — Enter a recipient email and an optional message. The KDM is generated immediately after submission.
- Power Guests — Enter a recipient email and an optional message (visible to the approving Manager). The delivery requires Manager approval before the KDM is generated.
- Guests — No email field; the KDM is automatically addressed to your own account. Manager approval is required before the KDM becomes available for download.
Step 6: Review
A summary of your entire delivery before submission, organized into three collapsible sections: Content, Configuration, and Delivery. Each section has an Edit link to jump back and make changes.
Click Create KDM (Managers) or Submit Request (Power Guests/Guests) to finalize.
If you cancel the wizard after entering data, a confirmation dialog will ask: "Discard changes? All progress in this wizard will be lost."
Managing Deliveries (Active Tab)
The Active tab shows all current KDM deliveries — both outgoing (created by you) and incoming (sent to you for approval).
Table Columns
| Column | Description |
|---|---|
| CPL | Content package name |
| Devices | Click the count to open the Delivery Devices dialog |
| To / From | Recipient email (outgoing) or proposer email (incoming) |
| Validity | Start and end dates |
| Status | Pending, Approved, or Rejected |
| Created | Delivery creation date |
| Log | View approval history (Managers only) |
| Actions | Download, Delete |
Filtering Deliveries
- Search bar — Filter by text across all columns
- Advanced filters (click the filter icon) — Filter by Direction (Outgoing/Incoming), Status (Pending/Approved/Rejected), or content metadata (Media info, Languages, Subtitles)
Click Reset all filters to clear all active filters.
Inspector Panel
Click any delivery row to open the side panel with full details. Toggle visibility with the Show/Hide Inspector button.
Row Actions Menu
Click ... on any delivery row:
- Download — Download the KDM file(s). Available only for approved deliveries.
- Delete — Permanently remove the delivery. Available to Managers only.
Approving and Rejecting Requests
This section applies to Managers only. Only users with the Manager role on the relevant project can approve or reject deliveries.
When a Power Guest or Guest submits a KDM request, it appears in your Active tab with Pending status and you receive a notification.
Taking Action
Click the Pending status badge on a delivery row to open the action menu:
| Action | Effect |
|---|---|
| Approve | Generates the KDM immediately. Recipient is notified. |
| Request Changes | Sends the delivery back to the requester with your feedback. They can edit and resubmit. |
| Reject | Permanently closes the request. Cannot be resubmitted. |
Both Request Changes and Reject open a dialog where you can write a message or reason. The requester is notified in both cases.
Viewing Delivery History
The History tab shows completed and rejected deliveries as a read-only archive. Use the search bar and Inspector panel the same way as the Active tab. No actions are available on historical deliveries.
| Column | Description |
|---|---|
| CPL | Content package name |
| Devices | Click to view delivery devices |
| Recipient | Who received the KDM |
| Validity | Playback time window |
| Created | When the delivery was created |
| Status | Final status (Approved or Rejected) |
| Log | View approval history |
Troubleshooting
"No CPLs found" in the wizard
Only encrypted DCPs with uploaded DKDMs appear in the CPL list. If your content is missing: confirm the DCP is encrypted (not a plain/unencrypted package); contact your project Manager to verify the DKDM has been uploaded for this asset. For DKDM upload instructions, see the DKDM Management User Guide.
"No certificates uploaded yet"
You need at least one projector certificate to create a KDM. Go to the Devices tab and either upload a .pem file or import from the platform library.
Certificate shows "Expired" status
Expired certificates can still be selected, but KDMs generated for expired certificates will not work on the target projector. Contact the cinema to obtain an updated certificate.
Delivery stuck in "Pending"
The delivery is waiting for Manager approval. If you are the requester, check with the project Manager and verify they have received the notification. If you are the Manager, check your Active tab for incoming deliveries with Pending status.
Cannot see the Approve/Reject buttons
Only Managers see the status action menu. If you need approval authority, contact your organization administrator to update your project role.
Download button not available
KDM files can only be downloaded after the delivery is approved. If the status is Pending, wait for Manager approval first.
Glossary
| Term | Definition |
|---|---|
| KDM | Key Delivery Message — cryptographic key that unlocks encrypted cinema content on a specific device for a specific time |
| DCP | Digital Cinema Package — the encrypted film content delivered to cinemas |
| CPL | Composition Playlist — defines a specific version of the content (language, audio, subtitles) |
| DKDM | Distribution KDM — a master key held by the distributor, used to generate device-specific KDMs |
| Certificate | DCI/SMPTE X.509 file (.pem) that uniquely identifies a cinema projector |
| DN Qualifier | Distinguished Name Qualifier — a unique hash identifying a specific certificate in the DCI trust chain |
| Validity Period | The time window during which a KDM allows content playback |
| Delivery | A KDM distribution event: one CPL + one or more certificates + a validity window, sent to a recipient |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article