Best Practice of Server Signing utilizing EJBCA

[surtan02]

I am developing an application to digitally sign a PDF on the server. I am using EJBCA for the key pair and certificate enrollment. The question is: what is the best practice I need to do to access the private key of each user so I can sign the file on my server? I hope users don't need to upload or input anything except the password and the pdf file.

Should I access the private key directly to the database (which I don't really know if is possible) or is there any other way?

Thank you for the help

[primetomas]

That would be a feature in your signing application. You can look at how SignServer does it for example.
https://www.signserver.org/.
The user will not access the CAs private keys. A signing application can be developed in many many different ways. SignServer is one good example, but there are other ways,

[surtan02]

Thanks for the answer. I am pretty new to this domain, so I am still figuring out how these things work, and I found a way to use the PCK12 file for signing. I know when a user or end-entity requests a new certificate with EJBCA, it will generate a .p12 file for the user to keep. Does the generated .p12 file also stored in the database that I configured for my EJBCA? If the answer is yes, could you tell me in which table the file is stored? By doing so, users do not need to upload the P12 to my app because I alrd have the access to it.

[merryo11]

I believe from security and legal point of few this is not a good idea to have users private keys in your custody. If you have a certified
standard and secure remote signing application then yes you can do that but again you have very tight control on keys access and their usage.

Secondly as per my understanding the sign server is used for organization level signing i.e. you can a certificate of your organization created on sign server which then be used for pdf but pdf signing by end users is not supported i believe.

[primetomas]

Agree @merryo11, for signature use cases it is not normal to store the p12 on the server as well. For encryption use cases you can configure EJBCA for Key Recovery, where it's stored on the server (but not as a p12 you have access to) in order to be able to recover encrypted data if the user looses it's key.
https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ca-operations-guide/key-recovery
But this is typically not used for signature use cases.

The most common way to use signserver is for organization signatures. But it can be used used for individual signatures as well keeping many keys with individual activation codes. For eIDAS use cases this connects to an eIDAS HSM. Other solutions are built on top of this. See for example: https://www.czertainly.com/platform/digital-signatures for a comprehensive solution.

Remote Digital signature solutions are complicated and you need to study a lot about it. It is security critical and a lot of things that can be done wrongly. I would suggest using an existing solution if you can find something that matches your use case.