Solved

ADCS vs. self-signed certificates

Posted on 2013-06-12
2
774 Views
Last Modified: 2013-06-13
Hello -

I am at a cross road with our Digital Signature project. Our goal is to provide the ability to digitally sign in-house PDFs. The PDFs will not leave the organization.

Solution #1: I have installed and configured Active Directory Certificate Services and have been working out a problem with publishing the Delta CRL. This solution is still dysfunctional.

Solution #2: Another suggestion was made that I use self-signed certificates, created by Adobe, and placed on protected shares accessible to the various groups within our organization. When a PDF needs a signature the user may select his/her .pfx from the share & authenticate identify with password.

My question are:

1. Which method is preferred? I suspect #1 is more secure.
2. Is solution #2 a legitimate option?
3. What is your experience with either solution?

Thank you kindly
0
Comment
Question by:ozihandicraft
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 350 total points
ID: 39243439
The difference is manageability and continuity.
Using ADCS you can publish the internal CA's Certificate as trusted through out the organization and thus all documents signed by a certificate issued by this CA will be seen as trusted. you can issue certificates to users/systems.
The publishing of the CA CRL/Root certificate is part of the GPO and should be included in the default domain policy computer configuration/security settings/

Using a self-signed certificate every so often may mean that the users will be presented over time with a warning that the signing certficate is not-trusted and whether they want to proceed.

1) is as you point out a logterm solution.
2) is used when the need it limited/immediate i.e. you need something right away and do not need to go through messing with the ADCS setup/configuration/

1 is the way to go.  Make sure to backup the CA regularly (when certificates are issued/or the CA certificate is renewed)
This way should the system experience a hardware failure, you can always restore the CA on another system.
0
 
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 150 total points
ID: 39243623
as noted above self signed certificates require an import for each certificate that the user has to interact with.. A central CA means you only have to interact (and many times not even that) with the root domain certificate  and import it into your trusted root authorities.. a Central CA is better if you have a lot of users and it keeps the certificate store on the computers at a manageable level.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question