1

I'm trying to purchase multiple certificates, some just signing, some just encrypting, and some a combination of the two. I wanted to purchase one signed by a CA, rather than using a self-signed one. I just want a file, so that I can easily integrate it with some software I've written and just call the command line to sign/encrypt files.

All the CA sites I've looked at are trying to sell it as a hardware package, with physical devices like USB drives, etc. Have I misunderstood what the CAs offer, or the whole process itself? I may be unaware of what the correct thing to google is, because the research I've tried to do on this hasn't cleared anything up.

An example site is GlobalSign, if I wanted to purchase a certificate for signing a document then the page I think I would want is here: https://www.globalsign.com/en/digital-signatures/

All the options available are hardware or SaaS.

Any help is appreciated, even just links to anything you think may help point me in the right direction. Thank you.

EDIT: It was suggested this is a duplicate of another issue. I believe it is different, because it has nothing to do with Adobe standards.

For example with signing, I want to be able to generate a PKCS7 key pair/certificate and then have a CA sign my certificate so that I can use these to share files. I have already generated the certificate, I have my own software that integrates the key for automated signing.

Improve this question
10
  • 1
    This question would be improved by some example links to the packages involved. I suspect the Answer may be that they're selling an HSM which will protect their signing subkey even though the signing ability is transferred to your posession. It prevents you, or an attacker, from extracting their signing key (the "file") and redistributing it in any way. Commented Apr 9, 2019 at 10:13
  • I've added an example for GlobalSign. The key will be secure on our systems, the hardware solution will directly interfere with software. Commented Apr 9, 2019 at 11:07
  • 2
    Possible duplicate of valid PDF signature without using hardware HSM or usb Token. In short - this is a legal requirement for the kind of certificates you want to use. It is different for example with certificates for HTTPS server where you actually get the files. Also duplicate to Need raw certificate/key to sign PDFs via Java app. But vendors seem to only sell HSMs for this. What to do? Commented Apr 9, 2019 at 11:12
  • 2
    You can just buy a certificate intended for https or S/MIME and sign any file. It technically works. It will just not be accepted by entities which require you to have a document signing certificate. Commented Apr 9, 2019 at 11:23
  • 3
    @Seb: While you claim that it is not related to Adobe but you don't even say what you need the certificate for. Like I said in my comment - you can actually get certificates as files for use in a HTTPS server. But this does not seem to be what you want. It would be more useful if you would describe the actual use case what you need the certificates for instead of complaining that the suggested duplicates have nothing to do with what you want (but don't explain). Commented Apr 9, 2019 at 13:25

1 Answer 1

Reset to default
6

It's rather simple: If you want a certificate which is from a CA root that is in the Adobe’s Approved Trust List (AATL), the CA and you have to comply to the technical requirements.

EE4 c. clearly requires

All end-entity key pairs must be stored in a secure cryptographic hardware device ...

If you don't need a certificate which complies with that, you can surely buy one or create one yourself. It will not be on the AATL of course.

Improve this answer
6
  • I don't care about AATL at all. I have a certificate that I have already generated, and I would like to purchase a signature for it from a CA, but I cannot find one. Do you know a CA that will sign a certificate without requiring it to exist on secure hardware. Commented Apr 9, 2019 at 12:07
  • 1
    My personal CA I created just moments ago will happily sign it! Or are there maybe any other requirements you have but didn't tell us? Commented Apr 9, 2019 at 12:12
  • What exactly makes a CA a CA, rather than just some entity that is agreeing to sign a public key? If a company wanted to sign their own keys, what would make them a CA signing their own keys, vs just a self-signed certificate? Or is there no difference? Commented Apr 9, 2019 at 12:24
  • 2
    @Seb this could be another question. Basically a CA confirms to rules (e.g. AATL) and is audited by another company to check that they actually follow this rules. Based on that, the creator of the rules (e.g. Adobe) trusts the certificates signed by the CA. If you don't want Adobe to trust your certificate, why do you need a CA? Or in other words: A CA is just some entity that is agreeing to sign a public key! Just one entity that a lot of other people choose to trust. Commented Apr 9, 2019 at 12:26
  • 1
    A certificate authority depends on context. I'm my own CA when it comes to signing kernel modules for my laptop. Commented Apr 9, 2019 at 13:38

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.