What certificate do I buy to sign XML?

Question

We have a web service that exchanges data via XML document with a vendor. Each vendor needs to digitally sign the XML document to ensure the integrity of the data transmitted for audit purposes. I am unclear as to which type of certificate I need to buy from the major third-party CA's to meet this requirement? Code signing seems to be the right approach, but XML is not listed on any of the sites. Can anyone provide some guidance on this?

Answer 1

You need an X.509 certificate (they're all X.509 certs) that includes "Digital Signature" as one of the values in the "Key usage" field. Also known as a digital signature cert.

While a single X.509 cert can include many different uses in the "Key usage" field, most Certification Authorities (CA) only issue certs for a single or closely related usage. See possible Key usage values from Microsoft and from section 4.2.1.3 of the standard.

Most all CAs will sell you a Digital Signature cert but they're often hard to find since they are not top sellers (the certs for SSL are the big sellers).

Here's one CA that lists them out nicely: GlobalSign

Added: You don't want or need a code signing certificate.

Also, you should check about how the recipient will verify your digital signature and what trust chain, if any is needed. Eg you may be able to use a self-signed certificate if you have already established a trust relationship with the web service.