Question: Certificate from a trusted authority

[desto12]

Hi,

At the beginning I want say that documenso is really great tool that's why I thought about using it to signing all my docs with bought certificate from trusted reseller, I was sure that I get certificate with private key but I got information from reseller support that private key is on physical cryptographic card that was send to the certificate and due to some law regulations it is impossible to export this key so I can't create .p12.

So the my question is it is possible to get somehow get trusted cert with private key? There is a lot of companies and services that allows to sign documents with trusted certificate, I don't belive that they are using crypto cards :)

[github-actions]

Thank you for opening your first issue and for being a part of the open signing revolution!

One of our team members will review it and get back to you as soon as it possible 💚

Meanwhile, please feel free to hop into our community in Discord

[ElTimuro]

@desto12 thanks, glad you like Documenso :)

• About the cert: Yes, it is possible, though not all companies offer this. We got our cert from WiseKey
• Happy to connect you to our contact if you like, but you could also just message them for an organizational cert (assuming you want your company name in there)
• Let me know if there are more questions since this can be tricky. I'm more than happy to help, since this is partly why we started Documenso :)

[tankerkiller125]

@ElTimuro just a note on this issue from my experience working with multiple cert vendors.

The CAB Forum is getting significantly more strict about how CAs are allowed to issue certificates that have significant security or legal implications (Document Signing, Code Signing, etc.) and are beginning to force CAs to require Yubikey/HSM installs only.

As an example, in trying to get a new Code Signing certificate I spoke to 5 different providers and all of them told me that my only option was an HSM, or purchasing a Yubikey with the certificate installed for each developer who needed access. In the end we ended up using the Azure Key Vault HSM since that's our preferred cloud vendor.

I think long term, Documenso may be forced to add more HSM/Cloud HSM options to the signing logic, I see that Google Cloud HSM was recently introduced, and I think that's a great start, but Azure and AWS at minimum will probably also have to be added.

I tried to find the library/code used for the signing to potentially contribute Azure HSM functionality, but it appears that the code for that isn't public on Github?

[ElTimuro]

• Yes, I think so too

• offering the high security HSM setups with minimal hustle is part of our mission and we will add as needed/ requested going forward

• the reason you can't see the singing code is because we recentlymoved to a new, homegrown rust-based singing libary that we will Open Source shortly 🙌

• we created this libary to better support cases like HSM signing

[ElTimuro]

• It's also worth noting we have plans to create a free CA ourselves: Let's Sign - An Open Source Certificate Authority backlog#21

• Ideally natively integrated in documenso and the supported HSM providers