I should first note that we have nobody in IT with significant familiarity with self-signed certification. We have a moderately sprawling network (one forest, many locations), and we are now rolling out internal code signing; until now users have run untrusted code, or we even disabled(!) the warnings. Intranet applications, scripts, and sites will now be signed with self certification.
I am aware of two obvious ways we can deploy this: Distributing the keys directly via a group policy, and setting up a cert server. Can someone explain the trade-offs between these two methods? How many certs before the group policy method is unwieldy? Are they large enough that remote users will have issues? Does the group policy method distribute duplicates on every login? Is there a better method I am not aware of?
I can find a lot of documentation on certifications and various ways to create them, but I have not been able to find something that summarizes the difference between the distribution methods and what criteria make one or the other superior.
You're in a tough spot - it's usually helpful to have/consult with someone with PKI experience because it's easy to, um, screw things up big time. With that said, there are quite a few resources available for public consumption and MS has improved ADCS since the Server 2000 days.
To leverage code signing certs, you'll need a CA infrastructure, which is separate than cert/key distribution. Without a cert server (hosted or your own), there are no keys to distribute. I'm assuming you're comparing a hosted service vs rolling your own.
I'd recommend looking at hosted/managed solutions if your org doesn't have the skills/expertise to roll your own. This is especially important if you plan to sign code that will be distributed to the public. Companies like Symantec (owns Verisign, Thawte, and GeoTrust), Entrust, Comodo, GoDaddy, DigiCert, and any other public Certificate Authority (CA) will offer code signing certs for an annual fee. The benefit is that you just need to figure out where to put it and how many code signing certs you need. The costs will be a bit higher than rolling your own, but if you intend to distribute public code, then this is your best option. If anything, I'd recommend looking at Verisign's products because they have the greatest compatibility with legacy keystores. Newer CA's may support 99% of modern browsers, but may not work right with older versions or with different keystores - JKS for example.
If the code is for internal use and the cost of a managed CA is too high, then you can roll your own infrastructure. This includes setting up a CA (ADCS, OpenSSL based, RSA, Entrust) and building the distribution channel. Group Policy simplifies distributing the CA certs as well as cert enrollment. Brian Komar has published a few books on Microsoft's Certificate Services. Komar offers comprehensive coverage on the subject so I'd recommend someone get a copy before they begin setting up your own CA infrastructure.
HTH
If you are simply needing code signing info, I work with Bruce and he has put together an on-going series on that subject. http://ssl.entrust.net/blog/?p=908
If you are needing a full PKI deployment there are options for on-premise and managed service. I will say that working for Entrust we would be happy to help where we can, but at the minimum I wanted to share Bruce's Code Signing blogs that may help with information gathering.
Good Luck