We wan’t to sign our PDF documents using TCPDF. This does work so far using setSignature() and a self-signed certificate. For the purpose of full validation in Acrobat Reader, we want to use a certificate of a CA that is contained in Adobe AATL (for example see certificate from Sectigo). But these certificates are issued on USB hardware tokens only.
The signing is done on a headless webserver running PHP on Debian 11. What options do we have to get this up and running?Can the certificate and private key be extracted from such USB devices? Or is there any chance to talk to the USB device on-the-fly via PHP?
There don’t seems to be any guides for this use case. Using a cloud service for signing is not an option.