Solved

ADCS vs. self-signed certificates

Posted on 2013-06-12
2
770 Views
Last Modified: 2013-06-13
Hello -

I am at a cross road with our Digital Signature project. Our goal is to provide the ability to digitally sign in-house PDFs. The PDFs will not leave the organization.

Solution #1: I have installed and configured Active Directory Certificate Services and have been working out a problem with publishing the Delta CRL. This solution is still dysfunctional.

Solution #2: Another suggestion was made that I use self-signed certificates, created by Adobe, and placed on protected shares accessible to the various groups within our organization. When a PDF needs a signature the user may select his/her .pfx from the share & authenticate identify with password.

My question are:

1. Which method is preferred? I suspect #1 is more secure.
2. Is solution #2 a legitimate option?
3. What is your experience with either solution?

Thank you kindly
0
Comment
Question by:ozihandicraft
2 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 350 total points
ID: 39243439
The difference is manageability and continuity.
Using ADCS you can publish the internal CA's Certificate as trusted through out the organization and thus all documents signed by a certificate issued by this CA will be seen as trusted. you can issue certificates to users/systems.
The publishing of the CA CRL/Root certificate is part of the GPO and should be included in the default domain policy computer configuration/security settings/

Using a self-signed certificate every so often may mean that the users will be presented over time with a warning that the signing certficate is not-trusted and whether they want to proceed.

1) is as you point out a logterm solution.
2) is used when the need it limited/immediate i.e. you need something right away and do not need to go through messing with the ADCS setup/configuration/

1 is the way to go.  Make sure to backup the CA regularly (when certificates are issued/or the CA certificate is renewed)
This way should the system experience a hardware failure, you can always restore the CA on another system.
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 150 total points
ID: 39243623
as noted above self signed certificates require an import for each certificate that the user has to interact with.. A central CA means you only have to interact (and many times not even that) with the root domain certificate  and import it into your trusted root authorities.. a Central CA is better if you have a lot of users and it keeps the certificate store on the computers at a manageable level.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
OnPage: Incident management and secure messaging on your smartphone
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
We often encounter PDF files that are pure images, that is, they do not have text characters, but instead contain only raster graphics. The most common causes of this are document scanning software and faxing software/services that create image-only…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question