Installing a CA to Populate Certificates for SignServer Workers Without Physical USB, Recognized by Adobe

[teaminnen]

Hello everyone,

I'm working with SignServer and need to set up a Certificate Authority (CA) that can issue certificates for each signing worker without requiring a physical USB token. The certificates need to be recognized by Adobe, showing the signer's name but indicating that the approval comes from our organization via the SignServer CA.

For testing or if we don't have a CA in our organization, we can set up our own PKI using software like EJBCA or OpenSSL.

Could someone guide me on:

How to install and configure a CA that can issue certificates for each worker without the need for physical USB tokens?
Ensuring that these certificates are recognized by Adobe and display the signer's name while showing that the approval comes from our organization's CA.
Any detailed steps, best practices, or resources would be greatly appreciated.

Thank you!

[teaminnen]

@KarolinHem could you pls help us? Thanks in advance

[KarolinHem]

Hi @teaminnen,

In our product documentation, you can find more details on how to set up EJBCA and SignServer for various use cases. See:

• https://docs.keyfactor.com/ejbca/
• https://docs.keyfactor.com/signserver/

Perhaps these tutorials and guides can be of help:

• https://docs.keyfactor.com/ejbca/latest/tutorials-and-guides
• https://docs.keyfactor.com/signserver/latest/tutorials-and-guides

Since I'm no product expert, I've also reached out to the product teams to see if they can guide you further.

[primetomas]

For certificates recognized by adobe:

1. Install your organisations private root certificate in adobe, windows, or the needed trust stores. By group policy or similar.
2. buy certificates from a public CA that is built into adobes trust store. These CAs will tell you what policies you need to comply with.

[teaminnen]

Thanks for the guidance @primetomas,

I have a couple of follow-up questions regarding the certificates recognized by Adobe:

Roaming Certificates: Can you provide more details on where to find roaming certificates from a public CA that is built into Adobe's trust store? Specifically, I am looking for certificates that do not require physical USB devices.

Compliance and Policies: Once I identify a CA, how can I ensure that I am compliant with their policies? Are there specific steps or documentation I need to follow?

Integration with SignServer: If I purchase a roaming certificate, will it be possible to use it to populate other certificates with SignServer? I want to confirm that the purchased certificate can be used effectively within our SignServer setup.

Thank you for your assistance!

[primetomas]

I'm not sure what a Roaming certificate is?
We can not advice on the policy requirements of CAs, what they require and such, that is up to respective CA. They will have the documentation that applies to them.

I can recommend to look at the PKI Consortium's "List of Trust Lists" for references and links, among them for the Adobe Trust List.
https://pkic.org/ltl/

[Realiserad]

@teaminnen Are the artifacts that you want to sign supposed to show up as "recognized by Adobe" on computers outside your organisation?