Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
List of free rfc3161 servers.
http://timestamp.digicert.com
http://timestamp.globalsign.com/tsa/r6advanced1
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.sectigo.com
http://timestamp.apple.com/ts01
http://tsa.mesign.com
http://time.certum.pl
https://freetsa.org
http://timestamp.globalsign.com/scripts/timstamp.dll
http://timestamp.globalsign.com/?signature=sha2
http://timestamp.wosign.com
http://tsa.startssl.com/rfc3161
http://dse200.ncipher.com/TSS/HttpTspServer
http://zeitstempel.dfn.de
https://ca.signfiles.com/tsa/get.aspx
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://tsa.starfieldtech.com/
@ragnarekker
Copy link

ragnarekker commented Oct 13, 2020

Great compilation of timestamp authorities. Thanks!

Question: Why aren't servers generally on https? Its not important or..?

@Manouchehri
Copy link
Author

Manouchehri commented Nov 26, 2020

So for anyone wondering, here's a short list of which companies are "approved" by Adobe for signing: https://helpx.adobe.com/sign/using/custom-time-stamp-providers.html#ApprovedTimeStampProviders

There's also a longer list here: https://helpx.adobe.com/ca/acrobat/kb/approved-trust-list1.html

@arulrajnet That page is down at the moment, but I've replaced http://timestamp.comodoca.com/rfc3161 with http://timestamp.sectigo.com unless I hear otherwise. =)

@ragnarekker The signatures themselves can be validated, so HTTPS isn't technically required.

@mupaneu
Copy link

mupaneu commented Jan 6, 2021

zeitstempel.dfn.de is working fine on Linux when signing a LibreOfficeWriter to PDF export. I might try this on "my" Windows machine in LibreOffice in the office after lockdown as well. (A Windows machine is never mine, plus this is a machine my company owns.)

@zhanzhenzhen
Copy link

zhanzhenzhen commented Feb 15, 2021

I cannot use http://timestamp.digicert.com now. Anyone ran into the some problem?

@sln162
Copy link

sln162 commented Feb 16, 2021

@zhanzhenzhen I test no problem, but in China digicert easy to connect timeout, slow access and even packet loss, so it is not recommended to use, I suggest you use it http://time.certum.pl

@zhanzhenzhen
Copy link

zhanzhenzhen commented Feb 16, 2021

@sln162 I tested again and yes it seems there's no problem with OpenSSL, but when I tried to timestamp a PDF document using the DigiCert TSA in Adobe Acrobat Reader DC, it said the protocol is not supported. In the past I can timestamp PDF documents using DigiCert TSA but now I can't. I don't know why.

@zhanzhenzhen
Copy link

zhanzhenzhen commented Feb 16, 2021

@sln162 Sorry for the stupid mistake. I didn't find that there's an error on DigiCert's page:

https://knowledge.digicert.com/generalinformation/INFO4231.html

On that page there's only one slash http:/. I just copy and paste that. OpenSSL is error-tolerant, but Adobe Acrobat isn't error-tolerant.

Now DigiCert works fine.

@ervinewell
Copy link

ervinewell commented Mar 3, 2021

On macOS, I specified http://timestamp.entrust.net/TSS/RFC3161sha2TS for codesigning, and this caused error CSSMERR_TP_NOT_TRUSTED when verifying the signature. I switched to http://timestamp.apple.com/ts1 and it worked.
Anybody knows why or other solutions?
image

@nihebe
Copy link

nihebe commented Mar 10, 2021

Is anyone else getting a "server not found" in Adobe Reader for http://timestamp.globalsign.com/scripts/timestamp.dll?

Edit: Just saw that globalsign hosts another rfc3161 server at http://rfc3161timestamp.globalsign.com/advanced, which works perfectly in Adobe Reader. I'll go with that one from now on. :)

@seraphire
Copy link

seraphire commented Mar 18, 2021

Does anyone know the state of the http://rfc3161timestamp.globalsign.com time servers? I was originally using standard, and that stopped working, went to advanced which was working for a week, and just now, it's redirecting me to a page that makes it look like it's now a paid service? Is it a temporary outage or did they just make it a paid product?

@davej
Copy link

davej commented Mar 18, 2021

Hi @seraphire, just noticed the same. I'm not sure what's going on but I'm migrating to a different timestamp server.

@sln162
Copy link

sln162 commented Mar 18, 2021

First, SHA1 of globalsign has stopped supporting. Reference News: https://globalsign.cn/news/newsdetail_93.shtml
http://timestamp.globalsign.com/scripts/timstamp.dll is SHA1,so it's not available.
http://rfc3161timestamp.globalsign.com/advanced It can't be used half an hour ago. Just now, it's no problem. It may not be stable. You can use other ones first

@cassolmc
Copy link

cassolmc commented Mar 18, 2021

@seraphire It's a temporary outage...
image

@davej
Copy link

davej commented Mar 18, 2021

Thanks @cassolmc. Here's the GlobalSign status URL for anyone looking for it. https://status.globalsign.com/

@elbosso
Copy link

elbosso commented Mar 19, 2021

This is maybe a little off topic - but I built such a server for self hosting. It can be found at https://github.com/elbosso/rfc3161timestampingserver

@KumG
Copy link

KumG commented Mar 29, 2021

What is the difference between http://timestamp.globalsign.com/?signature=sha2 and http://rfc3161timestamp.globalsign.com/advanced ?

The first one is not RFC3161 compliant ? Does it change anything ?

@LukeSesame
Copy link

LukeSesame commented Apr 2, 2021

Hey Guys, i'm new in java and i want someone to help me. i need to know how to implement a Timestamp method/function using these TSA...
i want to know how to timestamp files.
Thank you.

@elbosso
Copy link

elbosso commented Apr 3, 2021

Hey Guys, i'm new in java and i want someone to help me. i need to know how to implement a Timestamp method/function using these TSA...
i want to know how to timestamp files.
Thank you.

Well - you can try and have a look at https://github.com/elbosso/rfc3161client

@go2ready
Copy link

go2ready commented Apr 21, 2021

Hi guys, I just found a new free TSA. http://tsa.mesign.com
I found it from their website: https://www.mesign.com/en-us/tsa/index.html
Hope this helps.

@sln162
Copy link

sln162 commented May 4, 2021

@go2ready It cannot be used for program signing.

@Neepawa
Copy link

Neepawa commented Jun 8, 2021

I did a complete review of every site on this list by trying to connect to them using elinks, a text-mode browser. Here are my results:

https://freetsa.org
-- YES! THIS ONE ACTUALLY WORKS!
-- It gives detailed instructions on how to use it with the OpenSSL toolset
-- Has a form where you can give data to the browsers, which will send a hash to their server

http://timestamp.globalsign.com/scripts/timstamp.dll
http://timestamp.globalsign.com/?signature=sha2
http://rfc3161timestamp.globalsign.com/advanced
-- These sites all bring up the same page. It appears they no longer offer a free service.

https://timestamp.geotrust.com/tsa
-- Timed out

http://timestamp.sectigo.com
-- No longer a free service; must sign up for a trial. Their only link to a client application is from Microsoft.

http://timestamp.wosign.com
http://tsa.startssl.com/rfc3161
-- These two timed out with no output.

http://time.certum.pl
-- Retured the following output:
Time Stamp Service Version 2.0
Can only POST to TSA server.

http://timestamp.digicert.com
-- No ouput. Digicert no longer appears to offer anything for free, not even email sigining.

http://dse200.ncipher.com/TSS/HttpTspServer
-- Timed out; no output

http://tsa.safecreative.org
-- Page indicates the service is shutting down in July 2021

http://zeitstempel.dfn.de
-- Page returns the following text (from elinks):
DFN-Verein Kontakt und Support
Fehler
Ein Fehler ist aufgetreten.
Mit freundlichen Grüßen
Ihr DFN-PKI-Team
Impressum

https://ca.signfiles.com/tsa/get.aspx
-- Connect successfully; got back the following:
RFC 3161 and Autheticode TSA Server

http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
-- Both pages failed to respond; I had to kill elinks

http://timestamp.apple.com/ts01
-- Returns a page with a list of Apple's certificates

http://timestamp.entrust.net/TSS/RFC3161sha2TS
-- Connect successfully but got no output. It might be expecting POST data.

http://tsa.starfieldtech.com/
-- Site no longer exists

@Neepawa
Copy link

Neepawa commented Jun 8, 2021

David, it appears you're actively maintaining the list. I'd like to suggest you add text to the gist indicating when was the last time you updated it.

@Outtay
Copy link

Outtay commented Jun 9, 2021

@Neepawa
Pretty sure that this is not the way to test if they work or not. I'm still not entirely sure how to easily fully verify if the services are working, but if you look at freetsa.org in the "Basics: TCP-based client" it shows how the services can be talked to via openssl and curl.
Then you can see in the resulting tsr file whether it worked and so for example http://timestamp.digicert.com seems to output valid data. And so does http://rfc3161timestamp.globalsign.com/advanced

@Siebje
Copy link

Siebje commented Jun 15, 2021

Note that there is a new GlobalSign URL:
http://timestamp.globalsign.com/tsa/r6advanced1

I just used it and it works for me. The other GlobalSign URLs seem to be dead indeed.

@DarkIrata
Copy link

DarkIrata commented Jun 22, 2021

Don't use https://ca.signfiles.com/tsa/get.aspx
It is a demo server with open configuration.

More informations: https://www.signfiles.com/timestamping/

@JohnPlanetary
Copy link

JohnPlanetary commented Jul 12, 2021

As of 12-JULY-2021 here are the TSA that I know work and are available for real use:

Digicert:
http://timestamp.digicert.com
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Hash: up to SHA512

GlobalSign:
http://aatl-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Hash: up to SHA512

Sectigo:
https://timestamp.sectigo.com
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Hash: up to SHA512
Note: wait 15 seconds between each request.

Entrust:
http://timestamp.entrust.net/TSS/RFC3161sha2TS
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Hash: up to SHA512

SwissSign:
http://tsa.swisssign.net
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Hash: up to SHA512
Note: only 10 requests per day. For bigger quantities contact the company.

IDnomic:
http://kstamp.keynectis.com/KSign/
Credible: Yes . [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Hash: up to SHA512

QuoVadis + Digicert:
http://tsa.quovadisglobal.com/TSS/HttpTspServer
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Hash: up to SHA512

IRN:
http://ts.cartaodecidadao.pt/tsa/server
Credible: Yes . [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Hash: only SHA256
Note: only allows 20 requests in 20 minutes, if more requests are done the IP address will be blocked and legal consequences may happen.

ACCV:
http://tss.accv.es:8318/tsa
Credible: Yes . [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Hash: up to SHA512

IZENPE:
http://tsa.izenpe.com
Credible: Yes . [Adobe: European Union Trusted Lists].
Hash: up to SHA512

CERTUM:
http://time.certum.pl
Credible: Yes . [Windows Cert Store]
Hash: up to SHA512

DFN:
http://zeitstempel.dfn.de
Credible: Yes . [Windows Cert Store]
Hash: up to SHA512
Note: commercial use forbidden.

CatCert:
http://psis.catcert.cat/psis/catcert/tsp
Credible: Yes . [Windows Cert Store]
Hash: up to SHA512

Symantec
http://sha256timestamp.ws.symantec.com/sha256/timestamp
Credible: Yes . [Windows Cert Store]
Hash: up to SHA512

GlobaSign:
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.globalsign.com/tsa/r6advanced1
Credible: Yes . [Windows Cert Store]
Hash: up to SHA512

Apple:
http://timestamp.apple.com/ts01
Credible: Yes. [Apple CA]
Hash: up to SHA512

FreeTSA:
https://freetsa.org/tsr
Credible: No.
Hash: up to SHA512

SafeStamper:
https://www.safestamper.com/tsa
Credible: No.
Hash: up to SHA512
Note: up to 5 requests per day. For bigger quantities contact the company.

MeSign:
http://tsa.mesign.com
Credible: No.
Hash: up to SHA512

WoTrust:
https://tsa.wotrus.com
Credible: No.
Hash: only SHA256
Note: wait 15 seconds between each request.

Lex-Persona:
http://tsa.lex-persona.com/tsa
Credible: No.
Hash: up to SHA512

@LukeSesame
Copy link

LukeSesame commented Aug 19, 2021

Hello everyone, could i know how you verified that ? do you use any Java program to verify those links ???
Thank you

@tostercx
Copy link

tostercx commented Oct 28, 2021

http://tsa.baltstamp.lt

In EU trust list, up to SHA512

Limitation applies to non-registered users: no more than 100 requests within one month; the beginning and the end of the month are defined in UTC time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment