In order to onboard users, we have to identify them and they need to sign a contract (through our web application). The signed contract must be compliant with eIDAS AdES, so a PAdES.
The users are identified either through SPID or onfido (but it could be any other KYC service).
What do we need to do in order to produce a valid PAdES? Can we produce one on our own, without a third party?
For what I understood, we can't create a signed PDF because we don't have the private key of the user. If we create a self-signed certificate, the signature would not be valid and we would be able to prove nothing.
Document signing in KYC compliant process usually requires a qualified signature. "Qualified signature" in all cases is created on QSCD device listed in the EU QSCD list. I work for company that has a component that enables signing od PDF or XML files according the PADES and XADES signature standards using user x.509 certificate (stored on card, USB roken or in local certificate store on the OS) that enables web applications to get signed document or just CADES signature with few lines of code. Most important works on most modern browsers on both Windows and MacOS operating systems. If you are interested please check our PDF Signing Extension developer portal https://developers.nextsense.com for more details.