DSA Certificate Authorities vs. 3rd Party CAs

The DocuSign Signature Appliance (DSA) allows the DSA customer to administer their own Certificate Authority (CA) and issue standard, compliant digital certificates for their domain where the certificates’ intended use is digital signatures. This CA capability has several unique advantages when it comes to the assurance of digital signatures.

What is a Certificate Authority (CA) in the DSA offering?
A CA is a set of standard-compliant technology that allows a domain authority to issue and manage certificates. Digital certificates are issued by the CA and may also be related to a chain of trust, comprised of the customer’s CA, the issued certificates, and other intermediate certificates in between.
For digital signatures, the CA generates signer certificates, which are then attached to a digital signature and distributed inside the document.

How does the DocuSign Signature Appliance work with Certificate Authorities?
Upon installation of a DSA system, by default a CA is established by the DSA system and following the customer’s policies. This is an organizational level or domain-specific CA issuing the certificates. This CA is designed to allow operators of the DSA system to issue signer certificates.

Differences Between the DSA CA capability vs. Self-Signed Certificates and Commercial Certificate Authority Services.
From a technical perspective, all certificate authorities used in digital signatures follow a common digital standard.  However, using the DSA CA provides for several advantages not seen in other certificates and certificate authorities.

A self-signed certificate is created by the signer where the signer assumes the role of both CA and certificate subject. Signatures created with self-signed certificates are considered the least assurance or no-assurance certificates, because during the certificate generation process, information related to the identity represented by the certificate is determined by whomever generates the certificate. In addition, self-signed certificates can be created by a few free PDF-viewer software applications.

A digital signature made with certificates issued by a commercial certificate authority relies on CAs pre-deployed on popular operating systems to issue signer certificates.  In other words, the burden of proving identity based on commercial CA services is on the that CA, and policies for establishing identity vary among these service providers that may not always be compatible with identity-screening policies in your organization.  However, this is another identity that can be purchased.

The DSA certificate-authority capability is used by the customer to establish an organization-level certificate authority for their domain.  The CA is created by and for your organization and thus takes advantage of several levels of security not available in the aforementioned methods.  Identity can now be provided via every method available to an organization, including identity information collected when a subject was being interviewed for hire. Upon hire, an employee provides information such as a government-issued picture ID, tax ID, education and professional certifications. Your company may also examine and hold information like background checks, address and telephone numbers as well as other information dictated by your organization’s policies.  All these checkpoints serve to gate employees prior to their enrollment in your domain and in the DSA system.  Meaning all these assurances can be provided to identify your signers and they in turn provide a very-high assurance level for certificates your company issues and the signatures your authorized signers make.  If an employee is terminated (or just loses signature privileges), their digital certificate and signing key may be revoked immediately under DSA vs. contacting a commercial CA for that task (several of which cannot revoke signing keys only certificates).  The DSA approach vests a very refined control of who is permitted to sign in your organization.  These methods are only strengthened by the DSA’s integration features, which allow you to synchronize an employee's signing account to their live status in your domain via popular network-directory systems like Microsoft Active Directory, which also makes certificate renewal frictionless.


Thank you,
The DocuSign Signature Appliance Group at DocuSign Support

Have an issue? To send us an email, please submit this form.