A PHP package licensed under the MIT that allows you to download or extract all certificates from trust lists such as the EUTL or AATL.
You can install the package with Composer:
composer require setasign/trust-list-fetcherThe package uses classes of the SetaPDF-Signer component. A valid license and the correct composer repository has to be setup in your composer.json, too.
The root namespace for all classes is setasign/TrustListFetcher.
All internal HTTP requests are done by a Client instance of Guzzle
which is expected as an argument for the respective trust list class.
$client = new GuzzleHttp\Client([
'verify' => __DIR__ . '/../assets/cacert-2026-04-16+interm-for-IE.pem'
]);The Eutl class allows you to download all certificates from the EUTL.
Based on the Official Journal of the European Union (OJEU) on 14 April 2026 the class starts to load the "List Of Trust Lists" (LOTL) from https://ec.europa.eu/tools/lotl/eu-lotl.xml and recursively accesses the individual trust lists by the member states.
During this process the integrity and trust of the individual trust list signing certificates are verified. The process has to start with a collection of trusted certificates extracted from the mentioned OJEU which are stored in the file LOTL-signing-certificates-2026-04-15.pem.
//...
use setasign\SetaPDF2\Signer\PemHelper;
use setasign\SetaPDF2\Signer\X509\Collection;
//...
$trustedCerts = new Collection();
$trustedCerts->add(
PemHelper::extractFromFile(__DIR__ . '/../assets/LOTL-signing-certificates-2026-04-15.pem')
);Then you can simply initiate an instance:
//...
use setasign\TrustListFetcher\Eutl;
//...
$eutlFetcher = new Eutl($client, $trustedCerts);The real process starts by calling the fetch() method, which accepts two callbacks:
$certificateFound which is executed if a certificate is found and $certificateError
which is executed if a certificate cannot be interpreted by the Certificate instance:
//...
use setasign\SetaPDF2\Signer\X509\Certificate;
//...
$eutlFetcher->fetch(
function (Certificate $certificate) {
// a certificate was successfully extract
},
function (\InvalidArgumentException $e, string $certificate) {
// the resolved certificate could not be converted to a Certificate instance
}
);If it is not possible to process all trust lists, the method will throw an
Exception and the resolved certificates should be seen as incomplete.
NOTE: The whole process can take several seconds or minutes depending on the response times of the individual trust list endpoints.
Only if the fetch() call is executed without any thrown exception, the process
can be seen as complete.
To understand what's happening in the whole process the Eutl instance allows you access to a default Logger
instance by its getLogger() method.
You can enable direct output of the logger instance this way:
$eutlFetcher->getLogger()->setDirectOutput(true);All logs will be echoed out directly.
If you only want to access the log in case of an exception, just access it in a catch-block:
try {
$eutlFetcher->fetch(
function (Certificate $certificate) {
// ...
},
function (\InvalidArgumentException $e, string $certificate) {
// ...
}
);
// commit all resolved certificates
} catch (\Throwable $e) {
// revert or simply not process all resolved certificates
echo 'Error: ' . $e->getMessage() . PHP_EOL;
foreach ($eutlFetcher->getLogger()->getLogs() as $logEntry) {
echo \str_repeat(' ', $log->getDepth() * 4) . $log->getMessage() . PHP_EOL;
}
}The Aatl class allows you to download all certificates from the AATL.
The integrity and timestamp signature of the PDF envelope are validated by a root certificate for Adobe (Adobe Root CA G2.cer) and DigiCert (DigiCert Trusted Root G4.cer). For this we need a trusted certificate collection:
//...
use setasign\SetaPDF2\Signer\X509\Collection;
//...
$trustedCerts = new Collection();
$trustedCerts->addFromFile(__DIR__ . '/../assets/Adobe Root CA G2.cer');
$trustedCerts->addFromFile(__DIR__ . '/../assets/DigiCert Trusted Root G4.cer');Then you can simply initiate an instance:
//...
use setasign\TrustListFetcher\Aatl;
//...
$aatlFetcher = new Aatl($client, $trustedCerts);...and call the fetch() method to get all certificates from the AATL:
//...
use setasign\SetaPDF2\Signer\X509\Certificate;
//...
$aatlFetcher->fetch(
function (Certificate $certificate) {
// a certificate was successfully extract
},
function (\InvalidArgumentException $e, string $certificate) {
// the resolved certificate could not be converted to a Certificate instance
}
);Only if the fetch() call is executed without any thrown exception, the process
can be seen as complete.
As the Eutl instance, the Aatl instance also allows you to access a logger instance
by its getLogger() method.
You can enable direct output of the logger instance this way:
$aatlFetcher->getLogger()->setDirectOutput(true);All logs will be echoed out directly.
If you only want to access the log in case of an exception, just access it in a catch-block:
try {
$aatlFetcher->fetch(
function (Certificate $certificate) {
// ...
},
function (\InvalidArgumentException $e, string $certificate) {
// ...
}
);
// commit all resolved certificates
} catch (\Throwable $e) {
// revert or simply not process all resolved certificates
echo 'Error: ' . $e->getMessage() . PHP_EOL;
foreach ($eutlFetcher->getLogger()->getLogs() as $logEntry) {
echo \str_repeat(' ', $log->getDepth() * 4) . $log->getMessage() . PHP_EOL;
}
}