When using the tool to certify a PDF, the CRL (Certificate Revokation List) is not added to the document. Because of that, Adobe Reader for example need to query the CRL server (from the .crt file) and download it to check the certificate is not revoked.

When Adobe Reader need to do that, it marks the document as no "LTV enabled".

Is it possible using the CLI, to automatically get the CRL from the key or add it manually via the CLI ?

Refs:

• https://www.pdfa.org/long-term-validation-of-signatures/

I'm currently looking into that. Please find attached two documents that are PAdES-LT and PAdES-LTA enabled (using LetsEncrypt/DigiCert), from a working prototype. Would these meet your requirements?

pades-LTA.pdf
pades-LT.pdf

It will still take a bit of time to publish, but expect this in the near-term future.

@cproof oh yes, exactly that :)
Tested on https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation and seems to be that I expect. I check it on Windows later (open in Adobe Reader) but your capture show the same :)

Hi @mpiot ,
PAdES-LT and PAdES-LTA are now available in the latest release. If you enable on of these profiles (PAdES-LT being sufficient in practice, in my experience), supply a timestamp server and use a signature with revocation data, Adobe Reader should mark the signatures as "LTV enabled"

@cproof Thanks a lot :)