4
Let's say that I have an SSL cert (x.509 cert) that I use to provide my personal website via HTTPS. Is it possible to use this cert to digitally sign pdfs in Acrobat DC which come from me? Would I want to use my SSL cert to do this?
Jason
Posted 2016-07-06T06:14:43.580
Reputation: 255
5
Technically, you can sign anything with the private key of a public-private key pair. What forms of public-private key pairs a given software package will accept as a valid key for signing, and for verifying a signature with, is a different matter. I don't know the details of what Acrobat Document Cloud requires out of a key for signing and verifying with.
In general, if a software package requires that the public key of your key pair for signing/verifying be contained in a valid public key certificate, it probably requires that the certificate have a "key usage" statement that specifies that the key is valid for digital signatures.
It looks like the cert securing https://letsencrypt.org/ itself has, as one of its key usage properties, "digital signature", so assuming the certs they issue have the same key usage properties, then Yes, you should be able to sign files with it.
Signing a document with [the private key that matches the public key contained in] an SSL cert would be evidence that the document was certified by the entity identified in the Subject section of that cert, which, in the case of an SSL cert, is a web server domain name, not you as a person.
If you want to make it clear that the document was certified by you as a person, you need a certificate that has your personal identity in the Subject section, and thus your personal public key in it, not your web server / domain name's identity.
Certs with a person's identity are often sold as "email" (S/MIME, etc.) certs.
Spiff
Posted 2016-07-06T06:14:43.580
Reputation: 84 656
Oh dear, when I first wrote this (late at night for me) I accidentally got the keys backwards and said you sign with your public key. Of course you encrypt with your public key, but sign with your private key. Sadly I got two upvotes overnight before I noticed my error and corrected it! :-/ – Spiff – 2016-07-06T14:41:21.943
1
Can I digitally sign a PDF with the key used for my SSL website?
No, normally the X.509 certificate's "Key usage" field will not permit it. And digital signing software checks that field in the cert.
Here is the "Key usage" field for an SSL website cert:
Here is the "Key usage" field for a cert used to digitally sign a PDF document. Compare with the above.
If you could use a $4 SSL cert to digitally sign code or documents then the CA's wouldn't be able to charge you hundreds of dollars for digital signing certs!
ps. It is technically possible for a CA to issue a cert that lets you do everything with it, but they don't.
Larry K
Posted 2016-07-06T06:14:43.580
Reputation: 739
ockquote>
ps. It is technically possible for a CA to issue a cert that lets you do everything with it, but they don't.
Right, that's why I asked about letsencrypt – Jason – 2016-07-07T14:57:18.280
I do not believe so since their certs (an example) do not provide "Non-Repudiation" key usage.
– Larry K – 2016-07-07T20:15:59.437It's a pity they don't allow this. It would cost them nothing. Now they are doing half of the job. Allowing a server to sign the documents (or even applications, like Java applets) it serves to users is part of web security (and privacy) as well. But then the leeches selling digital certificates would be out of job and those leeches might have to get a more productive job in the society and the web might become a much more secure place without their need, so this is a no-no for the brother leeches that leech in politics... – NoOne – 2016-10-22T12:39:23.913
I suppose you could but in 3 months Adobe Acrobat would complain the certificate that was used to sign the document had expired. Only you can decide if you want to use your SSl certificate to sign a PDF – Ramhound – 2016-07-06T11:14:32.523