A QSCD can be deployed as a cloud service as long as it meets the required standards. I am not looking to, as of such, create one for legislation reasons but more of a way of my software being able to prove that the certificate come from us.
The idea is to create a PKI where the QSCD 'issues' the user the keys, which then Electronically signs a PDF file. If the public key can decode the file, it proves that it did come from that user (in this case will be a bot account that signs certificates).
I have found online solutions which entitle you to pay for such services but wanted to know how to create my own solution. I came across using openssl_* to achieve this. I took a look at a few answers to find how to create these keys.
The part I am now stuck on is how to load a PDF document and use the private key to electronically sign it and then export the new PDF file and then how to then decrypt it with the public key ensuring that it hasn't been tampered with.
My current attempt looks like this:
$config = array(
"digest_alg" => 'sha512',
"private_key_bits" => 4096,
"private_key_type" => OPENSSL_KEYTYPE_RSA
);
$keyPair = openssl_pkey_new($config);
$privateKey = NULL;
openssl_pkey_export($keyPair, $privateKey);
$keyDetails = openssl_pkey_get_details($keyPair);
$publicKey = $keyDetails['key'];
openssl_pkcs7_sign("toSign.pdf", "signed.pdf"); // how to sign using the private key?
penssl_public_decrypt("signed.pdf", $publicKey);
