If the certificate with a private key is on the client, then you need a client-side module to do signing. JavaScript won’t be enough as it won’t have access to the key on the client. While you can try calling CAPICOM from JavaScript, this is a partial (no PKCS#11 support), Windows-specific and obsolete solution. Better option is to have a browser applet written in Java that will perform signing (see below).
Our SecureBlackbox product has a distributed signature add-on which does exactly what you describe (PHP, Java, ASP.NET and compiled modules are supported at the moment). You can see the scheme how the add-on works:
In our product we offer pre-built browser modules – Java Applet, ActiveX control and Flash applet, yet Java applet is in most cases enough as it can access PKCS#11 storages and Windows Certificate storage on Windows. For browsers that don’t support Java applets SecureBlackbox allows to use the applet via Java Web Start, as an external “application”.
You will probably need to re-create this complete scheme, however it’s a big trick to calculate the hash on the server and pass it to the client for signing and then embed the signature back to the document.
It would probably be easier to transfer the complete document to the client and have a Java applet that will sign that document using iText or Java edition of our SecureBlackbox and then upload the document back to the server.