Self Signes certificate OpenSSL

[mtdallaire]

Hi, Thank you so much for all the tutorials, videos and code you provided on the subject.
I have a question because I'm not sure I understand it completely. Right now, In our company, we want to stop using Docusign. I have been able to execute the code and it worked perfectly for our purpose. My question may be selfanswering but, do I have to create one certificate per customer with OpenSSL ? Or do I make one certificate for our company and we reuse that certificate for each customer ?

Kind regards, Mike

[RichardBray]

Hey @mtdallaire you just need to make a certificate for your company but I wouldn't recommend using OpenSSL.

If you want to be more official I would recommend buying a certificate from somewhere like GlobalSign on behalf of your company then using that to sign the documents.

Let me know if that makes sense.

[mtdallaire]

I use my company's certificate (let's say GlobalSign) even if it's the custumer who sings the document ? And I sue the same certificate for each document or I need to buy one for each document ? I know my questions sounds noob... but when it comes to certificaes... I am! ;)

[RichardBray]

TBH I don't understand the nature of your business but I'm just comparing it to the way I think Docusign works.

There are three types of e-signatures

• SES = Simple electronic signature
• AES = Advanced electronic signature
• QES = Qualified electronic signature

An SES is nothing more than an image or a scribble on a document to verify it has been signed. An SES doesn't require a digital certificate and therefore doesn't prevent the document from being tampered with.

AES/QES - these both require digital certificates and prevent tampering once signed

QES like an AES but requires more verification to obtain a certificate. It also usually costs more than an AES as well.

How Docusign works

• customer signs the document with an SES
• your company signs the document with an SES
• Docusign then signs the whole document with their own certificate which I think is an AES

How I think you should do it

• customer signs the document with an SES
• your company signs the document with an AES

I hope that makes sense

[mtdallaire]

Oh thank you so much! This makes perfect sense to me!!! Thank you so very much for eveything. It's very appreciated!

Have a wonderful day! :-)

[RichardBray]

No worries, glad I could help out 😊

[avisangray]

@RichardBray @mtdallaire i completely understand your explanation. but when you go to buy a certificate from entrust or globalsign the document signing certificate is obviously not the one i guess as they are installed directly on hardware token provided by them. while apart from that only other option is TLS/SSL domain certificates or code signing certificates. i feel terminology is a little confusing. could you please help or clarify the same. thanks

[RichardBray]

Hey @avisangray this is totally my fault and something I should address in a future video. If you're using globsign or entrust I would recommend just using their document signing service instead of just buying a certificate.

Here are links to the relevant services: https://www.globalsign.com/en-gb/digital-signatures https://www.entrust.com/digital-security/certificate-solutions/products/digital-signing/digital-signing-as-a-service

I've only ever done research into digital signing with Nodejs, unfortunately we didn't end up going down that route so we never managed to implement it, but if we did we would have used a signing service.

Let me know how it goes.

[avisangray]

@RichardBray thanks for reply mate. i'm actually looking to get a certificate for signserver implementation as using ejbca by default. but that's not a trusted one. i really dont want to use their saas but implement my own by any means. i have implemented HSM for DSC but i'm having hard time believing(as there is no data that i could get my hand own) that all these enterprise companies like pandadoc would be using DSC on HSM. if entrust/globalsign support wouldn't have been so slow to reply once every week i would have already got somewhere in last 6 weeks. i'd really love if you could direct me to a relevant direction. thanks :-)

[RichardBray]

Wow rolling out your own is pretty tough, hope you're able to do it 💪 I don't have any experience with this specifically or the tools you have mentioned in your latest comment but I think the companies that give out the certificates like to make sure the security for it is on point, so they're quite picky with the way it's distributed that's why they either do it on hardware or through a service. I think you're best bet is to try and contact the company directly (globalsign or entrust) to see if they'll be able to help out, I think you've already done this so you're on the right path. But there's not much I can do to help.