Digital certificates are issued by the users themselves (called self-signed certificates), an internal public key infrastructure (PKI) such as Microsoft Certificate Services, or a third-party Certification Authority (CA) such as VeriSign. Self-signed certificates are created automatically in Word 2007 if no appropriate certificate is found on the system. The disadvantage is that users who receive self-signed documents must decide for themselves whether to trust the certificate. Therefore, self-signed certificates are best for personal use or within small businesses, where document recipients are likely to know the author.
Internal PKIs are useful when most documents that need to be signed are being sent within an organization. Active Directory (AD)-integrated PKIs provide a complete solution in which certificates can automatically be assigned to users and/or computers. However, configuring and maintaining your own PKI can incur extra administrative overhead and cost, and individuals outside your organization might not know whether to trust documents whose signature is guaranteed by your internal PKI.
Third-party CAs provide certificates that are automatically trusted by Windows systems, as their root CA certificates are installed by default, allowing users to share signed documents with users outside of the organization. Third-party certificates come in different classes, offering varying levels of assurance.