Manual installation of Trust Service Status Lists of certificates in DigiDoc4 application

DigiDoc4 version 3.10 and later versions use Trust Service Status Lists (TSLs) to check the trustworthiness of digitally signed BDOC and ASiC-E files. TSLs are used both when signing documents and validating signatures.

How does DigiDoc4 use TSLs?

During installation of the ID-software, Estonian national TSL, which is the latest version available during software packaging, and the European Commission list, which includes references to the TSLs of other countries, are installed on the computer. TSLs of foreign countries are not installed.

Upon opening a digitally signed file, DigiDoc4 automatically identifies the country whose certificates have been used to add electronic signatures to it and downloads the TSLs of the respective country where necessary. For instance, if a file is signed using a Latvian and a Lithuanian ID-card, DigiDoc4 downloads Latvian and Lithuanian Trust Service Status Lists.

NB! If contacting a foreign network is not permitted, the TSLs of the respective countries must be installed manually and updated regularly.  Without this it is not possible to verify signatures and the signature status is “unknown”. 

Verification and automatic updating of TSLs:

Automatic TSL updates are enabled in the software by default. This means that every time you launch DigiDoc4, it checks whether the TSLs on the computer are up to date and downloads the latest version where necessary.

To this end, the DigiDoc4 uses the official TSL of the European Commission at https://ec.europa.eu/tools/lotl/eu-lotl.xml, which in turn refers to the TSLs of more than 30 European countries. The URL values for downloading TSLs can be found at http://eutsl.3xasecurity.com/tools/index.jsp under the European Commission TSL information.

Important to know:

  • If you do not wish to contact a foreign network, you should install TSL updates or TSLs of other countries manually.
  • If the TSL on the user’s computer expires, they are notified even if automatic updates are disabled.

Term of validity of TSLs

The terms of validity of TSLs can be viewed in the European Commission TSL with additional information. The maximum term of validity of TSL is six months, but the latest version can be published earlier.

Manual installation of TSLs:

In order to manually install TSLs, you need to download the respective xml files (without changing the original file name) (XMLs by countries: http://tlbrowser.tsl.website/tools/index.jsp) and save them in the following locations depending on your operating system:

  • in the “%APPDATA%\digidocpp\tsl” directory in the case of Windows
  • in the $HOME/.digidocpp/tsl directory in the case of Linux
  • in the ~/Library/Containers/ee.ria.qdigidoc4/Data/Library/Application\ Support/RIA/qdigidoc4/ directory in the case of macOS

If a TSL is manually installed, you can disable automatic TSL updates:

  1. Launch the DigiDoc4.
  2. Open “Settings”.
  3. Uncheck the “Check for TSL updates” box.

Additionally, you can disable TSL updates via the digidocpp.conf configuration file by setting “false” as the “tsl.onlineDigest” parameter value.

However, you have to remember that signatures cannot be verified using expired lists.