ADCS vs. self-signed certificates

Hello -

I am at a cross road with our Digital Signature project. Our goal is to provide the ability to digitally sign in-house PDFs. The PDFs will not leave the organization.

Solution #1: I have installed and configured Active Directory Certificate Services and have been working out a problem with publishing the Delta CRL. This solution is still dysfunctional.

Solution #2: Another suggestion was made that I use self-signed certificates, created by Adobe, and placed on protected shares accessible to the various groups within our organization. When a PDF needs a signature the user may select his/her .pfx from the share & authenticate identify with password.

My question are:

1. Which method is preferred? I suspect #1 is more secure.
2. Is solution #2 a legitimate option?
3. What is your experience with either solution?

Thank you kindly
Who is Participating?
arnoldConnect With a Mentor Commented:
The difference is manageability and continuity.
Using ADCS you can publish the internal CA's Certificate as trusted through out the organization and thus all documents signed by a certificate issued by this CA will be seen as trusted. you can issue certificates to users/systems.
The publishing of the CA CRL/Root certificate is part of the GPO and should be included in the default domain policy computer configuration/security settings/

Using a self-signed certificate every so often may mean that the users will be presented over time with a warning that the signing certficate is not-trusted and whether they want to proceed.

1) is as you point out a logterm solution.
2) is used when the need it limited/immediate i.e. you need something right away and do not need to go through messing with the ADCS setup/configuration/

1 is the way to go.  Make sure to backup the CA regularly (when certificates are issued/or the CA certificate is renewed)
This way should the system experience a hardware failure, you can always restore the CA on another system.
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
as noted above self signed certificates require an import for each certificate that the user has to interact with.. A central CA means you only have to interact (and many times not even that) with the root domain certificate  and import it into your trusted root authorities.. a Central CA is better if you have a lot of users and it keeps the certificate store on the computers at a manageable level.
All Courses

From novice to tech pro — start learning today.