Adobe e-signature with custom CA

Question

Im looking for some guidance and advice.

My company is small, and uses Adobe Acrobat to sign documents. Each employee has created their own e-signature in their copy of Acrobat, and use that to add their signature to documents that are PDF'd.

We recently had an audit finding that the signatures are not secure as anyone can create an e-signature and there is no check that who is creating it is the person who should be signing it. This is obviously a valid point.

It would be very costly to go to a third-party CA to get e-signature certificates for the company.

I have researched it and it appears that I can create a custom CA for internal use, then use the CA to sign employee certificate requests, and then the employee can use that certificate to e-sign. While this would still not show valid to people outside the company, there would be a way to confirm inside the company that the signature is valid.

I tried using OpenSSL to do this, but when I got to the point of adding it to Adobe, I got an error and in researching, found that Adobe doesnt like OpenSSL certificates for e-signatures.

Is there any alternative to getting an in-house CA, sign certificates with it, and use in Adobe for e-signatures?

Thanks for any help you can be to get me further along.

S_S · Accepted Answer

Hi @drsjeffn,

Hope you are doing well. Thanks for writing in!

Here's my take on this:

There could be multiple ways to go about the feat you want to achieve. Some trustworthy methods could be-

Microsoft Active Directory Certificate Services (AD CS)

If your company uses Windows Server, the best way to create an internal CA that Adobe will trust is through Active Directory Certificate Services (AD CS).
Steps:

Set up a Microsoft CA on a Windows Server.
Create a certificate template for Digital Signatures (ensure it has the Digital Signature and Non-Repudiationkey usages).
Issue certificates to employees using Group Policy or manual requests.
Install the root CA certificate in the Adobe Trusted Identities.

Adobe Approved Trust List (AATL) or EU Trusted List (EUTL)

If you don’t want to use an internal CA, another option is to use a free or low-cost external CA that is part of Adobe’s AATL (Adobe Approved Trust List). Examples:

DigiCert, GlobalSign, Sectigo, Entrust, etc.
Some CAs provide inexpensive certificates for internal business use.

Self-Signed Certificates with Adobe Trust Overrides (Workaround)

If setting up AD CS is not an option, you can generate self-signed certificates but must manually distribute and trust them in Adobe:

Use Windows Certificate Manager or OpenSSL to create a self-signed certificate for each employee.
Manually import each certificate into Adobe Acrobat > Preferences > Signatures > Identities & Trusted Certificates.
Employees must manually trust each certificate.

Hope this helps.

Regards,
Souvik.

creative explorer · Answer

@drsjeffn have you looked into Adobe e-Sign? Adobe has always been one of the most rigourous and secured PDF's apps out there. I would never trust those third-party websites and apps about PDFs because you read so many horror stores about malware, viruses and trojans on those third-party apps and websites for PDFs
https://www.adobe.com/ca/acrobat/business/sign.html

Microsoft Active Directory Certificate Services (AD CS)

Adobe Approved Trust List (AATL) or EU Trusted List (EUTL)

Self-Signed Certificates with Adobe Trust Overrides (Workaround)

Microsoft Active Directory Certificate Services (AD CS)

Adobe Approved Trust List (AATL) or EU Trusted List (EUTL)

Self-Signed Certificates with Adobe Trust Overrides (Workaround)

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded