iText:人们使用什么类型的证书在Linux上自动化PDF签名? [英] iText: what type of certificates do people use to automate PDF signing on Linux?
问题描述
我有一个低容量(<500 PDFs /年)应用程序,用于在Linux上使用Java中的iText进行PDF文件的自动化数字签名。
I have a low volume (<500 PDFs/year) application for automated digital-signing of PDF files using iText in Java on Linux.
我有iText使用SSL证书将数字签名添加到PDF。这是一个有效的方法来证明PDF是由我的域(例如服务器)生成的?
I've got iText adding a digital signature to PDFs using my SSL certificate. Is this a valid method to prove the PDF was generated by my domain (e.g. server)? Can it be used somehow to get the green checkmarks showing "trust" in Adobe Reader?
如果没有,我应该使用一个用于PDF的证书(例如不是我的SSL证书),以便当用户打开PDF文档时,自然地出现指示信任的小绿色复选标记。
If not, I should use a certificate intended for PDFs (e.g. not my SSL certificate), so that the little green checkmarks indicating "trust" appear naturally when the user opens the PDF document.
The book http://itextpdf.com/book/digitalsignatures does a great job introducing this topic to me (I have very little experience in this area).
这本书讲述了一个SafeNet Luna设备(一个HSM),但是它太贵了。我只需要一个最小的解决方案,Luna有很多的钟声和口哨。 Luna PCIe 设备较少昂贵,但我不需要任何功能,除了提供证书,我可以使用签署。此外,基于USB的SafeNet iKey 设备似乎只是销售到Windows设备。有谁有iKey使用Linux?是甚么可能?其他公司是否提供在Linux上运行的基于USB的设备?
The book talks about a SafeNet Luna device (an HSM), but's it is much too expensive. I only require a minimal solution, and the Luna has a lot of bells and whistles. The Luna PCIe device is less expensive, but I don't require any features other than providing a certificate I can use to sign. Also, the USB-based SafeNet iKey device seems only to be marketed to Windows devices. Has anyone got iKey working with Linux? Is it even possible? Do other companies offer USB based devices that work on Linux?
我正在寻找一个用于在Linux上提供自动数字签名的PDF的最小解决方案。我相信很多小企业都有类似的需求。我只是试图利用现有的知识。人们如何解决这个问题?
I'm looking for a minimal solution for serving automated digitally signed PDFs on a Linux box. I'm sure a lot of small businesses have similar needs. I'm just trying to tap into existing knowledge out there. How do people solve this problem?
我看到的用于自动化此过程的解决方案假设使用Adobe Live Cycle的大公司,并相应地定价(参见例如: https://www.globalsign.com/pdf-signing/compare-pdf-signing.html )。但是小型企业也需要自动化。
The solutions I see for automating this process assume large corporations using Adobe Live Cycle, and priced accordingly (see for example: https://www.globalsign.com/pdf-signing/compare-pdf-signing.html). But small businesses need to automate things too.
理想情况下,某人会出售类似于SSL证书的证书,但是对于PDF文件。是否有这样的事情?
Ideally someone would sell a certificate similar to the SSL certificates, but for PDF files. Is there such a thing?
是硬件(某种类)的要求(似乎)?如果硬件是一个要求,有没有任何最小的解决方案(例如有限的功能,而不是启用数字签名)?
Is hardware (of some sort) a requirement (seems so)? If hardware is a requirement, are there any minimal solutions out there (e.g. with limited functionality other than enabling digital signing)?
希望有人能帮我从树上看到森林。
Hoping someone can help me see the forest from the trees. What's the conventional wisdom?
推荐答案
关于使用SSL证书签名:在未来的iText版本中,证书的使用表示证书可以用于不可否认。现在,我们检查密钥使用对开发人员的责任,但在一个完美的世界,你应该只签署适合不可否认的证书,你的SSL证书可能不允许这样。
Regarding signing with your SSL certificate: in a future iText version, we make require that the key-usage of the certificate indicates that the certificate can be used for non-repudiation. For now, we make checking the key-usage the responsibility for the developer, but in a perfect world, you should only sign with certificates suited for non-repudiation, and your SSL certificate probably doesn't allow this.
关于绿色复选标记:除非您可以要求您的PDF的消费者将您的证书的根证书添加到受信任的身份列表中,否则您总是需要一个公共/私有密钥存储在硬件上以获得绿色复选标记。
Regarding the green check mark: unless you can ask the consumers of your PDFs to add the root certificate of your certificate to the list of trusted identities, you'll always need a public/private key stored on hardware to get a green check mark.
关于HSM / USB密钥的价格。 USB钥匙便宜得多,但通常它们是手动使用的(通常他们每秒只能签名一次)。我认为GlobalSign有一种在Linux上工作的密钥。至于HSM,我们的一个客户告诉我们,他从Utimaco购买了一个,因为它更便宜(但我不知道他有什么预算或花费)。
Regarding the price of an HSM / USB key. USB keys are much cheaper, but usually they are meant for manual use (usually they have a limit of signing only once every second). I think that GlobalSign has a flavor of keys that work on Linux. As for HSMs, one of our customers told us that he bought one from Utimaco because it was less expensive (but I don't know what budget he had or spent).
没有价格信息,但也许是一个好的阅读灵感: http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf
No price info, but maybe a good read for inspiration: http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf
这篇关于iText:人们使用什么类型的证书在Linux上自动化PDF签名?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
