I'm looking to obtain an certificate from an AATL authority to use in iText to perform tamper-proofing signatures to PDF documents as part of a cloud application that I'm working on.
As best as I'm able to determine, AATL certificates can be delivered as USB HSMs to customers after a standard Adobe AATL verification process. Unfortunately, this restricts the usage to devices I have physical access to, which obviously isn't feasible for a cloud application.
I've been trying to research what my best options are on this front, but haven't been able to find any clear guidance on best practices or impartial sources for knowledge. I've come up with two possible ideas to illustrate in slightly more concrete terms what I am looking for.
Obviously any answer that results in the same outcome of either of these ideas is more than welcome as well!
Is there any way for me to obtain an AATL certificate by generating a CSR from Azure Key Vault, or Azure HSM (Gemalto) and having an AATL provider issue their response such that the certificate is loaded into the Azure's standards compliant store?
By doing this, my hope would be that I could then code my Application using the Azure Key Vault APIs or the Gemalto HSM to perform signatures.
If a USB HSM is my best option, is it possible to derive another certificate from my USB HSM and then load that into Azure Key vault? Will a key derived from one issued to my company by an AATL authority still pass Acrobat (and any other) authenticity checks? Or will any certificate with intermediaries between it and the AATL authority fail?
I've been digging into this since I have a very similar requirement at the moment. YES it is possible to store an AATL Document Signing certificate in Azure KeyVault because it is a FIPS 140-2 level 2 compliant HSM. You do not need the dedicated HSM although it is also supported (Azure dedicated HSM is FIPS 140-2 level 3 compliant).
As for the process, you are correct that you would need to issue a CSR from KeyVault directly. If your certificate is delivered on a USB HSM, you will not be able to transfer it to Azure KeyVault since it will be locked to the HSM.
I do not want to list any certificate providers in this answer but I was easily able to find at least 4 that supported my use-case with a quick Google search. I'm currently in the process of getting quotes from each of these vendors.