Digital Signatures Using Entreprise PKI

Solution 1:

My question is, do the digital signatures produced using our PKI have any added value ?

Value to whom?

The point of a public key infrastructure is to create a chain of trust. Someone who trusts your CA will trust all certificates issued by that CA, and therefore also trust the digital signature issued with those certificates. So if your counterparts do trust your CA, then a signature issued by it has value. If not, not.

So the question you should be asking is: What reason do people outside of your organisation have to trust that your CA follows any sort of standard in issuing, managing and revoking certificates?

The point of using a third party signing service is that the third party then should have been audited by a trusted entity so that both you and the other relevant parties have a good reason to trust them. If you're in the EU, there are specific rules set up by eIDAS for what's called "(Qualified) Trust Services Providers", and companies who want to issue signatures trusted according to that ruleset need to be audited specifically against those rules.

You should also note that the certificates used for web servers usually aren't usable for digital signature of documents.

If this answer seems unclear, it's probably because this is a huge question, and any answer will basically need a thorough understanding of your requirements and current PKI systems as well as the guidelines, rules and laws applicable to you and your counterparts. If you don't have anyone within your company with that knowledge, I strongly suggest that you use outside expertise. It's going to be expensive, but a lot less expensive than finding out in court several years from now that some signature isn't legally valid when you thought it was.