tags:

views:

225

answers:

4
+3  Q: 

Where to get Certificate for digitally signing PDFs?

I'm working on a Java application that uses iText to digitally sign PDFs that will be made available online. I have been able to sign the documents with a test cert I obtained from GlobalSign and it works great. The test cert is part of GlobalSign's "DocumentSign for Adobe PDF". The reason I had to use this cert is so that my cert chains back to the Adobe Root CA, which to my knowledge (and I could be wrong) is the only CA that is trusted by Adobe Reader out of the box. I tried regular SSL certs from VeriSign and Entrust but they didn't work as they were not trusted.

Now I need to get a permanent cert but GlobalSign (as well as VeriSign and others) want to sell me a service that requires extra hardware for the 2 factor authentication which I do not want. There doesn't seem to be a way to get the cert only. My question is, has anyone else gone through this? Is there another way to get a cert that Adobe Reader will trust (other than having the end user manually enter the cert into the list of trusted certs)? Have I missed something?

Thanks for any help you can provide.

A: 

Verisign offers MyCredential for Adobe Acrobat for personally signing PDFs and True Credentials for Adobe, but it also seems to require a USB token. You may be stuck with that.

tvanfosson  2009-10-13 17:49:12
A: 

Try GeoTrust also offers PDF Signing Certificates but I think it is similar to GlobalSign and VeriSign's offerings.

Robert  2009-10-14 04:16:24
A: 

You can also use Ascertia's issued free digital certificate. You can get this from: https://www.ascertia.com/OnlineCA/Default.aspx

mwahaj  2009-11-06 07:49:10
+1  A: 

There are three ways you can approach this. None of which are ideal.

  1. Adobe CDS: This works in Acrobat 6+ but as far as I can tell requires two factor authentication and heavy licensing costs.
  2. AATL: Instead of linking back to Adobe's root CA they trust a certain list of providers. As far as I can tell they still require a hardware device. Also, this only works in Acrobat 9+
  3. Windows Certificate: Acrobat includes a preference to integrate with the windows certificate store. This means that any root CA trusted in your windows store will be trusted by Adobe. They really should have just enabled this by default.
JonMR  2009-11-13 01:18:36
Thanks for confirming my suspicions. Options 1 and 2 are certainly cost prohibitive. I understand the reasoning behind 2 factor authentication (at least the way it's being marketed) but it just isn't practical. I'd be interested to hear from anybody that has gone down that route. I'll have to look into option 3 a little more. Is there something similar on the Mac? Thanks again.
JCW  2009-11-13 13:11:54

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL