The company I work for is developing a digital signature application very similar to DocuSign, but we aim to make our signatures EIDAS compliant.
For the first version we aim to do the same thing DocuSign does with its basic signing process. We define the recipients, documents and fields and then the documents go into the signing process where each recipient has to populate the fields and add their signature. I have looked into what is the end result of the document after DocuSign process is finished and there is only 1 actual digital signature added to the document which is based on DocuSign's certificate. Even if there are 10 signers each document will have only 1 invisible digital signature from DocuSign and the signatures that users add to the document are just embedded drawings.
If I understand this correctly DocuSign is just adding that signature for the purposes of securing the document and not to actually prove the authenticity of the signers. I am aware they handle that authentication on the application level, but to be compliant with EIDAS the signature itself and the certificate need to be able to prove that. Running a DocuSign document through the EIDAS DSS validator will therefore give an invalid result while validating for example in Acrobat will give a valid one.
As I said before, we aim to do the same thing for the first version of our application meaning we will not handle qualified digital signatures for each user separately yet. Instead, we want to have one certificate in company name that will produce one advanced digital signature no matter how many "signers" have added their signature drawings on the document.
The problem I have is getting an EIDAS compliant certificate for advanced signature in company name. We have contacted our local EU trust provider and tried with 2 certificates that were supposedly in company name, but one of them had a common name of the CEO and the other had a common name in company name, but it did not include a non-repudiation key usage which is also kind of required by EIDAS validator.
Is it even possible to have a certificate in company name for an advanced EIDAS digital signature? Is stamp certificate maybe what I need for this purpose?
Appreciate the help.