Guust Ysebie

Software Engineer | PDF expert | speaker | adventurer

I help teams solve hard PDF problems: performance, compliance, HTML-to-PDF, and signing workflows.

TLDR: EU parliament published new certificates for EU-LOTL infrastructure. You can find the new certificates here: eu certs . Users of iText’s EU-LOTL feature will currently have a warning message:

Main LOTL file contains two Official Journal of European Union links. This usually indicates that transition period for Official Journal has started. Newest version of Official Journal should be used from now on to retrieve trusted certificates and LOTL location.

To solve this you need to bump the dependencyeu-trusted-lists-resources to version 1.1. By doing this you will trust those new certificates. This should be done before 28 of April as this will be the end of the transition period.

Source code for our trusted certificates: github repo

Within the iText SDK we have a feature called EU LOTL validation. You can read more about it here: https://kb.itextpdf.com/itext/pdf-signature-validation-lotl-cache-initialization in greater detail. The main idea is that it automatically adds the required certificates to the TrustedStore used in the validation process. This TrustedStore is just a collection of certificates you trust while validating a digital signature.

What problem does this feature solve?

Let’s say your document workflow requires you to validate digital signatures generated by the citizens of Belgium. To do this you would need to trust either the certificate from the signer, or a certificate in the certificate chain of the signer.

Let’s look at a simplified representation of a certificate chain.

-- Belgian Country Provided Certificate
    -- Intermediate certificate 1
        -- Personal Certificate Of person named: Stromae
        -- Personal Certificate of person named: Kevin De Bruyne
    -- Intermediate certificate 2
        -- Personal Certificate Of person named: Eden Hazard
        -- Personal Certificate Of person named: Jean-Claude Van Damme

In this sample you have a couple of options, if you would want to validate only the signatures of Kevin De Bruyne then you would only add his certificate to the TrustedStore. But how would you get his certificate? Well that’s the hard thing it’s stored on his physical EID card, you would need to call him, and ask him to mail you his certificate. Great now we can validate signatures of Kevin De Bruyne. But now your Product Manager says, oh man we need to support validation for signatures generated by Jean-Claude van Damme as well, but yeah pretty hard to contact that guy, as he is ignoring your emails.

So as you can imagine, this would not scale well.

But we still want to validate signatures of mister Jean-Claude van Damme. So how can we do this? Well if we look up the chain we see the Belgian country certificate. If only add this one to the TrustedStore then we automatically trust all the ones downstream in the chain as well.

The iText EU Lotl validation feature allows you to trust specific countries and adds their certificates to the TrustedStore, you can validate those citizens digital signatures. Where does iText get these certificates? well for this we rely on the actual infrastructure by the European Union in short it works something like this:

You have the main access point: https://ec.europa.eu/tools/lotl/eu-lotl.xml . This file is an XML file which is the root entry point for the trust validation, the file contains the locations(URLs) of the country specific trust lists. If you would open the eu-lotl.xml in your favorite $EDITOR you would see something like this:

<!-- Other european countries-->
<OtherTSLPointer>
  <TSLLocation>https://tsl.belgium.be/tsl-be.xml</TSLLocation>
  <AdditionalInformation>
    <OtherInformation>
      <TSLType>http://uri.etsi.org/TrstSvc/TrustedList/TSLType/EUgeneric</TSLType>
    </OtherInformation>
    <OtherInformation>
      <SchemeTerritory>BE</SchemeTerritory>
    </OtherInformation>
    <OtherInformation>
      <ns3:MimeType>application/vnd.etsi.tsl+xml</ns3:MimeType>
    </OtherInformation>
    <OtherInformation>
      <SchemeOperatorName>
        <Name xml:lang="nl">FOD Economie, KMO, Middenstand en Energie - Kwaliteit en Veiligheid</Name>
      </SchemeOperatorName>
    </OtherInformation>
    <OtherInformation>
      <SchemeTypeCommunityRules>
        <URI xml:lang="en">http://uri.etsi.org/TrstSvc/TrustedList/schemerules/EUcommon</URI>
        <URI xml:lang="en">http://uri.etsi.org/TrstSvc/TrustedList/schemerules/BE</URI>
      </SchemeTypeCommunityRules>
    </OtherInformation>
  </AdditionalInformation>
</OtherTSLPointer>
        <!-- Other european countries-->

In this xml we can see that the node TSLLocation contains a link to the location of the trusted lists of the Belgian country.

What is a trusted list you may ask, well at a high level it can be thought of as collection of certificates that the government uses to generate other certificates and sign digital documents. So if you trust those certificates you trust all the end user certificates as well.

So did you spot the issue already?

It’s all about trust but our entry point is just a random file on the internet? That’s not that trustworthy. So how does the EU LOTL infrastructure solve this issue? Well each of those XML files are actually signed meaning you can verify that those documents are valid and not altered.

But which certificates are used to sign those XML files, and how do you find them?

In the main lotl file we have the entry SchemeInformationURI and one of these values point to a publication of an EU law and this document hardcodes the certificates used for signing of the XML files.

Currently at the time of writing, the used publication is: eu certificates

So why am I writing this article?

Well the EU parliament published a new set of those certificates which means that from 28 April (end of the transition period) onward the XML files will only be able to be validated with the new set of certificates.

So if you are using the EU-LOTL feature then you will currently see following warning message:

Main LOTL file contains two Official Journal of European Union links. This usually indicates that transition period for Official Journal has started. Newest version of Official Journal should be used from now on to retrieve trusted certificates and LOTL location.

This in turn means that from 28 April if the old certificates are used for validation the XML files will fail validation.

If you rely on the artifact eu-trusted-lists-resources we provide, the migration is as simple as bumping to version 1.1. If you implemented your own way of getting those certificates then you should update those with the last information which can be found over at new eu certificates.

But please double-check the main lotl file yourself for the correct latest information!

Article written: 2026-04-19