I'm building an in-house solution for signing documents and need to transition from using self-signed certificates to a real certificate issued by a Certificate Authority (CA) for production use. My biggest challenge is budget constraints.
Currently, I'm signing PDFs in PAdES format with a self-signed certificate, which is fine for development but not good enough for production.
I've considered a couple of options:
1. Setting up a Self-hosted CA, like HashiCorp Vault PKI. This gives more control and could save money, but it requires cloud infrastructure (since I don't have on-prem servers) and I'm uncertain about ongoing costs. Plus, it won't provide a certificate that's trusted publicly.
2. Using managed PKI services like DigiCert, WISeKey, or Certum. This offers fully managed and trusted certificates, but the pricing seems high, and I'm unclear on how the integration works. Do I need to manually download the certificates, or is there an API for that?
I have a few questions:
- Has anyone set up a cost-effective document signing solution with proper certificate trust chains?
- How does integration generally work for managed PKI services with custom apps?
- Are there any affordable alternatives I may have overlooked?
- If I consider going the cloud-hosted CA route, what would be realistic monthly costs for a small-scale operation?
Any advice would be greatly appreciated!
2 Answers
You might want to look into an AATL signing certificate with an HSM option. You can host the certificate with something like Azure Key Vault Premium. Just a heads up, this will take some development work to integrate with the Key Vault API, but it could be worth it for the added security and trust.
If your applications will remain in-house and aren't meant for external users, you might reconsider using public CAs. Managing your own PKI system, whether in-house or through SaaS, often ends up being cheaper than buying code-signing certificates from public CAs. The costs for public CA services can pile up quickly due to 'microtransactions.'
Great point! We're actually planning to offer this document signing service publicly down the road. I didn't mention that context, but since we're still in early stages, we can explore different options. Thanks for the insight!
Thanks for the suggestion! I do have development capacity. Is this what you meant? [https://shop.globalsign.com/en/document-signing](https://shop.globalsign.com/en/document-signing)