Why does installing "pdftk-java" change root certificate authority? Is this bad?

Question

new ubuntu user here. I installed pdftk-java using sudo-apt, and it changed a lot of my root certificate authorities. Is this bad? I don't understand why this root certificate authority is needed by a PDF editing software/program. I'm not sure if I accidently installed malware, and how to get rid of it.

Here is my product release:

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:    22.04
Codename:   jammy
sudo apt install pdftk-java
[sudo] password for [USERNAME]: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  ca-certificates-java default-jre-headless java-common libbcprov-java
  libcommons-lang3-java openjdk-11-jre-headless
[...]
Adding debian:ANF_Secure_Server_Root_CA.pem
Adding debian:emSign_Root_CA_-C1.pem
Adding debian:AffirmTrust_Networking.pem
Adding debian:IdenTrust_Public_Sector_Root_CA_1.pem
Adding debian:Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
Adding debian:COMODO_ECC_Certification_Authority.pem
Adding debian:ssl-cert-snakeoil.pem
Adding debian:Staat_der_Nederlanden_EV_Root_CA.pem
Adding debian:DigiCert_High_Assurance_EV_Root_CA.pem
Adding debian:Network_Solutions_Certificate_Authority.pem
Adding debian:Buypass_Class_3_Root_CA.pem
Adding debian:OISTE_WISeKey_Global_Root_GB_CA.pem
Adding debian:Buypass_Class_2_Root_CA.pem
Adding debian:Amazon_Root_CA_4.pem
Adding debian:DigiCert_Trusted_Root_G4.pem
Adding debian:CFCA_EV_ROOT.pem
Adding debian:GTS_Root_R4.pem
Adding debian:GlobalSign_Root_CA-R2.pem
Adding debian:Secure_Global_CA.pem
Adding debian:DigiCert_Global_Root_G3.pem
Adding debian:Security_Communication_RootCA2.pem
Adding debian:GlobalSign_ECC_Root_CA-R5.pem
Adding debian:DigiCert_Assured_ID_Root_G3.pem
Adding debian:Microsec_e-Szigno_Root_CA_2009.pem
Adding debian:GlobalSign_Root_CA-R3.pem
Adding debian:Entrust_Root_Certification_Authority-G2.pem
Adding debian:QuoVadis_Root_CA_1_G3.pem
Adding debian:TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi-Surum_1.pem
Adding debian:XRamp_Global_CA_Root.pem
Adding debian:ACCVRAIZ1.pem
Adding debian:GLOBALTRUST_2020.pem
Adding debian:Starfield_Root_Certificate_Authority-G2.pem
Adding debian:GTS_Root_R3.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_2009.pem
Adding debian:Amazon_Root_CA_1.pem
Adding debian:SecureSign_RootCA11.pem
Adding debian:AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
Adding debian:Baltimore_CyberTrust_Root.pem
Adding debian:CA_Disig_Root_R2.pem
Adding debian:Certum_Trusted_Root_CA.pem
Adding debian:Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
Adding debian:NAVER_Global_Root_Certification_Authority.pem
Adding debian:AffirmTrust_Commercial.pem
Adding debian:SSL.com_Root_Certification_Authority_ECC.pem
Adding debian:Actalis_Authentication_Root_CA.pem
Adding debian:Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
Adding debian:Trustwave_Global_ECC_P256_Certification_Authority.pem
Adding debian:Entrust_Root_Certification_Authority-EC1.pem
Adding debian:emSign_ECC_Root_CA-G3.pem
Adding debian:Izenpe.com.pem
Adding debian:Certum_Trusted_Network_CA.pem
Adding debian:AffirmTrust_Premium.pem
Adding debian:Certigna.pem
Adding debian:Certigna_Root_CA.pem
Adding debian:AC_RAIZ_FNMT-RCM.pem
Adding debian:Hongkong_Post_Root_CA_1.pem
Adding debian:QuoVadis_Root_CA_3_G3.pem
Adding debian:SwissSign_Silver_CA-G2.pem
Adding debian:Hongkong_Post_Root_CA_3.pem
Adding debian:Entrust_Root_Certification_Authority.pem
Adding debian:Starfield_Services_Root_Certificate_Authority-G2.pem
Adding debian:Entrust_Root_Certification_Authority-G4.pem
Adding debian:SecureTrust_CA.pem
Adding debian:Go_Daddy_Root_Certificate_Authority-G2.pem
Adding debian:AffirmTrust_Premium_ECC.pem
Adding debian:emSign_ECC_Root_CA-C3.pem
Adding debian:OISTE_WISeKey_Global_Root_GC_CA.pem
Adding debian:UCA_Extended_Validation_Root.pem
Adding debian:DigiCert_Assured_ID_Root_CA.pem
Adding debian:certSIGN_Root_CA_G2.pem
Adding debian:TWCA_Root_Certification_Authority.pem
Adding debian:DigiCert_Global_Root_CA.pem
Adding debian:Go_Daddy_Class_2_CA.pem
Adding debian:UCA_Global_G2_Root.pem
Adding debian:certSIGN_ROOT_CA.pem
Adding debian:EC-ACC.pem
Adding debian:TWCA_Global_Root_CA.pem
Adding debian:Starfield_Class_2_CA.pem
Adding debian:GlobalSign_Root_CA.pem
Adding debian:DigiCert_Global_Root_G2.pem
Adding debian:Security_Communication_Root_CA.pem
Adding debian:T-TeleSec_GlobalRoot_Class_2.pem
Adding debian:Entrust.net_Premium_2048_Secure_Server_CA.pem
Adding debian:QuoVadis_Root_CA_3.pem
Adding debian:COMODO_Certification_Authority.pem
Adding debian:Trustwave_Global_Certification_Authority.pem
Adding debian:Comodo_AAA_Services_root.pem
Adding debian:SSL.com_Root_Certification_Authority_RSA.pem
Adding debian:GTS_Root_R2.pem
Adding debian:Certum_EC-384_CA.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_EV_2009.pem
Adding debian:Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
Adding debian:Atos_TrustedRoot_2011.pem
Adding debian:GlobalSign_ECC_Root_CA-R4.pem
Adding debian:SSL.com_EV_Root_Certification_Authority_ECC.pem
Adding debian:ISRG_Root_X1.pem
Adding debian:COMODO_RSA_Certification_Authority.pem
Adding debian:T-TeleSec_GlobalRoot_Class_3.pem
Adding debian:Microsoft_RSA_Root_Certificate_Authority_2017.pem
Adding debian:TeliaSonera_Root_CA_v1.pem
Adding debian:USERTrust_ECC_Certification_Authority.pem
Adding debian:GTS_Root_R1.pem
Adding debian:SZAFIR_ROOT_CA2.pem
Adding debian:QuoVadis_Root_CA_2.pem
Adding debian:GlobalSign_Root_E46.pem
Adding debian:GlobalSign_Root_CA-R6.pem
Adding debian:USERTrust_RSA_Certification_Authority.pem
Adding debian:Cybertrust_Global_Root.pem
Adding debian:ePKI_Root_Certification_Authority.pem
Adding debian:QuoVadis_Root_CA_2_G3.pem
Adding debian:GlobalSign_Root_R46.pem
Adding debian:DigiCert_Assured_ID_Root_G2.pem
Adding debian:Microsoft_ECC_Root_Certificate_Authority_2017.pem
Adding debian:NetLock_Arany=Class_Gold=Főtanúsítvány.pem
Adding debian:SwissSign_Gold_CA-G2.pem
Adding debian:Trustwave_Global_ECC_P384_Certification_Authority.pem
Adding debian:Certum_Trusted_Network_CA_2.pem
Adding debian:SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
Adding debian:GDCA_TrustAUTH_R5_ROOT.pem
Adding debian:Amazon_Root_CA_3.pem
Adding debian:emSign_Root_CA-_G1.pem
Adding debian:Amazon_Root_CA_2.pem
Adding debian:IdenTrust_Commercial_Root_CA_1.pem
Adding debian:E-Tugra_Certification_Authority.pem
Adding debian:e-Szigno_Root_CA_2017.pem
done.
Setting up default-jre-headless (2:1.11-72build2) ...
Setting up pdftk-java (3.2.2-1) ...
update-alternatives: using /usr/bin/pdftk.pdftk-java to provide /usr/bin/pdftk (
pdftk) in auto mode
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for ca-certificates (20211016ubuntu0.22.04.1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Updating Mono key store
Mono Certificate Store Sync - version 6.8.0.105
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD license
d.
Importing into legacy system store:
I already trust 124, your new list has 124
Import process completed.
Importing into BTLS system store:
I already trust 124, your new list has 124
Import process completed.
Done

Answer 1

You snipped out the single line that would have answered this. Immediately before Adding debian:ANF_Secure_Server_Root_CA.pem was probably the line Setting up ca-certificates-java (20190909) ....

This indicates that the output following (all the "Adding debian:") lines came from the processing of the ca-certificates-java package. Further up in the output you'll notice ca-certificates-java in the section of output "The following additional packages will be installed".

So, it's not pdftk-java specifically which added/replaced/updated the certificate files, but a dependency of it. As pdftk-java is a java application, the packagers determined that when installed, it should recommend a java runtime, which subsequently requires the certificates accessible to the java runtime in the java keystore.

So in summary, installing pdftk-java then pulled in default-jre-headless which pulled in ca-certificates-java which pulled in ca-certificates (which you already had).

So, no, not malware, not anything to be worried about. This is all working normally.