How to make a valid signature using let's encrypt/other trusted certificates bought from the internet

[Vishwamithra37]

Does anyone know the exac process of doing this?

[MatthiasValvekens]

I'm not sure if you intended it like that, but this is an extremely broad question, and the answer is mostly out of scope for this forum anyhow. But I'll try to give you a few pointers anyway.

First, ask yourself what you're trying to accomplish:

• Are you catering towards private/internal PKI for individual companies? Then you don't have to care about any of this stuff.
• Do you want signatures that are trusted by Adobe Acrobat users? Then you need a cert that paths up to a root on the AATL. In this case, googling "document signing certificate" should help you find a vendor.
• If you are working in some specific legal framework (e.g. eIDAS in Europe), then things are potentially very different. That said, if that were the case, you probably wouldn't be asking this question. ;)

In addition, you'll also need to figure out key usage: do you need nonRepudiation? Specific EKUs? So, figuring out what kind of assurances you need to provide, and to whom you're providing them (who is the signer? who needs to be able to validate?) is a crucial first step here.

The signing process itself also is not set in stone. Chances are that you'll need to talk to a piece of hardware or a remote signer to actually perform the signature operations. PyHanko can do all of that, but the implementation can be very vendor-dependent.

By the way, don't even think about using Let's Encrypt certs for document signing. Let's Encrypt was set up to perform cheap domain validation. Identity verification (which is what you need to issue document signing certs) is not something they do, and would be very difficult if not impossible to provide for free. A properly configured PDF signature validator will not consider their certificates valid for document signing use. The same goes for other TLS/SSL certificates, by the way.

---

TL;DR: (a) it depends on the use case and applicable legal framework, (b) pretty much none of this is pyHanko-specific and (c) forget about trying to use TLS certs.