National eIDAS Trusted Lists of the European Union

As mentioned above, the CA certificates are stored in the national eIDAS Trusted Lists. The lists are stored in document-type _COMMONS_CONFIGURATION, also the EU List of eIDAS Trusted Lists (LOTL). When building the trust-anchor the following tasks are done:

  • Load LOTL from _COMMONS_CONFIGURATION. If it does not exist, the built-in LOTL will be taken.

  • Check if the LOTL was signed by one of the trusted certificates built into ImageMaster. The trusted certificates which ImageMaster contains are taken from the Official Journal of the European Union (OJEU).

  • Check the signature, check that the LOTL was not changed.

  • Analyze the LOTL and register the contained trusted certificates of the national eIDAS Trusted Lists.

  • Load the enabled national eIDAS Trusted Lists from _COMMONS_CONFIGURATION.

  • Check the enabled national eIDAS Trusted Lists are signed by one of the registered certificates.

  • Check the signature of the enabled national eIDAS Trusted Lists.

  • Register all trusted service providers and their certificates in the Trust Anchor.

The Trusted List Browser of the European Union can be found here: https://webgate.ec.europa.eu/tl-browser/#/

The trusted lists can be configured in the ImageMaster AdminClient in the Signature Service room in tab Trusted Lists. They are part of the Signature Service Configuration:

<SignatureConfiguration ...>
…
    <trustList>
        <countries>
            <country>
                <territory>EU</territory>
                <enabled>true</enabled>
                <automaticUpdate>false</automaticUpdate>
            </country>
            <country>
                <territory>DE</territory>
                <enabled>true</enabled>
                <automaticUpdate>false</automaticUpdate>
            </country>
        </countries>
    </trustList>
…
<SignatureConfiguration>

Elements:

  • territory (Enum)

    The territory of the national eIDAS Trusted List.

  • enabled (Boolean value)

    If true, the trusted list is enabled and loaded into the Trust Anchor. The “EU” List of eIDAS Trusted Lists (LOTL) is always in the system and enabled.

  • automaticUpdate (Boolean value)

    If true, the trusted list is automatically downloaded by the ImageMaster job-system.

There are three ways to get the lists:

    In offline mode the lists must be downloaded manually from the trusted list browser of the European Union and stored in document-type:

    _COMMONS_CONFIGURATION with filename: SignatureService_TL_<Territory>

  • The lists can also manually be downloaded or updated in the AdminClient, Signature Service room, tab Trusted Lists. They are downloaded from the trusted list browser and stored in _COMMONS_CONFIGURATION.

  • Finally, the lists can be downloaded automatically by ImageMaster job “TrustListUpdate”.