Solved

ADCS vs. self-signed certificates

Posted on 2013-06-12
2
760 Views
Last Modified: 2013-06-13
Hello -

I am at a cross road with our Digital Signature project. Our goal is to provide the ability to digitally sign in-house PDFs. The PDFs will not leave the organization.

Solution #1: I have installed and configured Active Directory Certificate Services and have been working out a problem with publishing the Delta CRL. This solution is still dysfunctional.

Solution #2: Another suggestion was made that I use self-signed certificates, created by Adobe, and placed on protected shares accessible to the various groups within our organization. When a PDF needs a signature the user may select his/her .pfx from the share & authenticate identify with password.

My question are:

1. Which method is preferred? I suspect #1 is more secure.
2. Is solution #2 a legitimate option?
3. What is your experience with either solution?

Thank you kindly
0
Comment
Question by:ozihandicraft
2 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 350 total points
ID: 39243439
The difference is manageability and continuity.
Using ADCS you can publish the internal CA's Certificate as trusted through out the organization and thus all documents signed by a certificate issued by this CA will be seen as trusted. you can issue certificates to users/systems.
The publishing of the CA CRL/Root certificate is part of the GPO and should be included in the default domain policy computer configuration/security settings/

Using a self-signed certificate every so often may mean that the users will be presented over time with a warning that the signing certficate is not-trusted and whether they want to proceed.

1) is as you point out a logterm solution.
2) is used when the need it limited/immediate i.e. you need something right away and do not need to go through messing with the ADCS setup/configuration/

1 is the way to go.  Make sure to backup the CA regularly (when certificates are issued/or the CA certificate is renewed)
This way should the system experience a hardware failure, you can always restore the CA on another system.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 150 total points
ID: 39243623
as noted above self signed certificates require an import for each certificate that the user has to interact with.. A central CA means you only have to interact (and many times not even that) with the root domain certificate  and import it into your trusted root authorities.. a Central CA is better if you have a lot of users and it keeps the certificate store on the computers at a manageable level.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now