TrustListFetcher + X509\PdoCollection ▷ setasign.com

TrustListFetcher & X509\PdoCollection2026-06-10

In this article we want to introduce you to two new tools, that can be used aside with our PDF signature solution, the SetaPDF-Signer component:

TrustListFetcher

Digital signatures in PDF documents proof the integrity and the authenticity. While the integrity is proofed by cryptographic algorithms, the authenticity is based on trust.

When using our PDF signature solution it is up to you, the implementor, to define what certificates are trusted. This is needed to gather revocation information to enable LTV (long-term-validation) in PDF signatures. In the most setups these certificates are fixed as they simply build the chain for the signing certificate.

But sometimes there are use-cases where it would be ideal to have an external source of trust: An official trust list by a trusted entity.

ETSI released a standard (ETSI TS 119 612) that is used by the EUTL (European Union Trust List) and external countries (e.g. Switzerland) to deploy lists of trusted certificates in a secure and standarized way. While Adobe uses their own format for their AATL (Adobe Approved Trust List).

The TrustListFetcher project is a PHP tool that allows you to extract certificates from these trust lists.

X509\PdoCollection

To gather revocation information the SetaPDF-Signer component uses by default an instance of the X509\Collection in its Collector class to access trusted or extra certificates.

While the X509\Collection class works with initiated certificate instances throughout it can become a performance problem as soon as the collection has to handle several hundreds or thousands of certificates.

This could happen if you e.g. want to use a complete trust list by an external entity. Instead of initiating several hundreds or thousands of certificate instances each time through PEM files or a PEM collection from the file-system you may store these certificates in e.g. a database.

The X509\PdoCollection project shows you how you can create a certificate collection implementation served by a database. For demonstration purpose we used PDO and a SQLite database.

Feedback or Ideas?

We hope that these tools gives you some ideas of how to optimize your own implementations of the SetaPDF-Signer component! If you have any comment or idea how we can improve them, feel free to reach out through issues on GitHub or simply send an email to support@setasign.com.

Older