Active directory, is it possible to issue EDS to users automatically?

V

Viktor Taran2017-11-30 13:22:03

Active Directory

Viktor Taran, 2017-11-30 13:22:03

Good day.
The task from the customer: a manual for employees and individual entrepreneurs on how to sign documents with a Self-signed EDS.
Task: Self-signed digital signatures for signing WODR OUTLOOK PDF
Question:
Is it possible to use AD to automatically issue these certificates to company employees so that they can simply sign in winword ... outlook and do nothing at all for this, well, or at a minimum?
Does AD issue certificates and install them on the computer?
Is it possible with trusted certificates (there is only yes and no so far)?
The easiest way to make an EDS for individuals is self-signed, of course (manual with installation), a bash script would say, but this is Windows ;(. I'm not strong here.
Thanks in advance.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

Maxim Grishin, 2017-11-30
@shambler81

For issuance - it is possible, for automatic issuance - no, because the user is a moving creature, and it will be necessary to carry the keys to the certificate behind him. The computer put its private key in the registry and nothing else is needed, and it will be enough for the user to change seats to lose his certificate. Then it will be inconvenient to follow them. In principle, it is still possible, only the user will have to follow his own PFX file himself, and import it to each PC on which he will work in Word and Outlook.
The signature requires trust, but how to get it if everything is self-signed? Anyone unsigned, changed, re-signed, and you're in trouble. So only AD CS, only hardcore :) (Any PKI service will do, but if you already have AD, you should use it to the maximum.)