Read in the end about asymmetric cryptography and PKI.
In general, in short, if you want a legally significant electronic document flow with clients, you sign an agreement with each that the parties agree to consider a handwritten electronic signature made using such and such a technology.
The technology may be different. Pretty simple and lightweight option is PGP, it's not PKI but pretty close.
Each party generates a pair of keys (secret/public), the public key is transferred to the opposite party. With the help of the appropriate software, the files are signed and sent to the second party.
It is important here that each of the participants generates keys for himself and the private key is never transferred to anyone.
It is on this principle that most banks work, only they are required to use domestic certified cryptography (CryptoPro, CryptoCom ...).
If you switch to PKI, then another character is added - a certification authority (CA). Each party, after generating the key, sends a certificate request to the CA and receives a certificate from it. A certificate is essentially a public key signed on a CA key with various restrictions. For example, there is a limitation on the period of use of the certificate.
I’m not sure exactly, but it seems like in our country you can’t use Western crypto by law, so it’s better to immediately focus on domestic software. For example, not a bad option CryptoPro + CryptoARM. Domestic costs money.
If you ask, what about SSL - there are entirely Western algorithms that are not certified, I will answer - there are special clauses about this in the law, the point is that if it is not possible to remove support for Western algorithms from the software, then you can. But in relation to the workflow, this cannot be pulled.