We are a global entreprise with thousands of employees worldwide. We have our own PKI infrastructure which is trusted internally by our systems but unknown externally.
We sign contrats with our clients. There is an ongoing "paperless" project which aims to abandon physical contrats and use electronic ones instead.
My management is asking me to implement digital signatures on such contracts, using our own PKI infrastructure.
My question is, do the digital signatures produced using our PKI have any added value ? Or do we absolutely need to use a PKI/CA that is trusetd worldwide (like Digicert or Verisign) ?
Value to whom?
The point of a public key infrastructure is to create a chain of trust. Someone who trusts your CA will trust all certificates issued by that CA, and therefore also trust the digital signature issued with those certificates. So if your counterparts do trust your CA, then a signature issued by it has value. If not, not.
So the question you should be asking is: What reason do people outside of your organisation have to trust that your CA follows any sort of standard in issuing, managing and revoking certificates?
The point of using a third party signing service is that the third party then should have been audited by a trusted entity so that both you and the other relevant parties have a good reason to trust them. If you're in the EU, there are specific rules set up by eIDAS for what's called "(Qualified) Trust Services Providers", and companies who want to issue signatures trusted according to that ruleset need to be audited specifically against those rules.
You should also note that the certificates used for web servers usually aren't usable for digital signature of documents.
If this answer seems unclear, it's probably because this is a huge question, and any answer will basically need a thorough understanding of your requirements and current PKI systems as well as the guidelines, rules and laws applicable to you and your counterparts. If you don't have anyone within your company with that knowledge, I strongly suggest that you use outside expertise. It's going to be expensive, but a lot less expensive than finding out in court several years from now that some signature isn't legally valid when you thought it was.
Electronically, Trust is established by using Digital Signature Certificates. Therefore, you may procure DSC's from any of the globally trusted Certifying Authorities.