List of free rfc3161 servers.

rfc3161.txt

http://timestamp.globalsign.com/scripts/timstamp.dll
https://timestamp.geotrust.com/tsa
http://timestamp.comodoca.com/rfc3161
http://timestamp.wosign.com
http://tsa.startssl.com/rfc3161
http://time.certum.pl
http://timestamp.digicert.com
https://freetsa.org
http://dse200.ncipher.com/TSS/HttpTspServer
http://tsa.safecreative.org
http://zeitstempel.dfn.de
https://ca.signfiles.com/tsa/get.aspx
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
http://timestamp.apple.com/ts01
http://timestamp.entrust.net/TSS/RFC3161sha2TS

I'm finding a free TSA that optimized for Asia users.
Do you know any?

(All above servers take at least 200ms for a ping response)

PS: The first server I've found is: http://tsa.wotrus.com (~75ms)

I finded new TSA server. You can use

http://oscp.cocbuilder.su/tsa.php

@Manouchehri ,,

Thanks for compiling this list.

My interest is in free general-purpose timestamping service (e.g. stamping pdf, zip files) and this page was near the top of Google's search results, so a good starting point for a comprehensive list of freeTSA servers, but some of the links appear to be dead

dse200.ncipher.com/TSS/HttpTspServer : address could not be found for either the full URL or the base address dse200.ncipher.com.

timestamp.geotrust.com/tsa : has been retired by Symantec and replaced with sha256timestamp.ws.symantec.com/sha256/timestamp (see INFORMATIONAL | Discontinued Use of (Legacy) SHA1 RFC 3161 timestamp service - DigiCert) and appears to be a direct link to their RFC3161 timestamper and not a "landing" page.

Not 100% certain but it looks like the "timestamp.dll" links are direct RFC3161 timestamp server links designed to be used for code-signing only (possibly by Microsoft's SignTool).

For what I came to this page for the best current (1/19/2019) link for genuinely free general-purpose timestamping is freetsa.org. No time to go through all the links, but this of interest so I will update this comment as time allows.

Thanks again for the scholarship compiling this resource.

Excellent resource! Is anyone generating, signing and timestamping PDFs on the fly? Currently working with TCPDF which signs ok but does not have time stamping implemented.

http://timestamp.entrust.net/TSS/RFC3161sha2TS

@jonybuzz Thanks, added.

@haleba-hotmail dse200.ncipher.com still resolves fine here. Could you try again?

@seagate00 Getting a connection refused for http://oscp.cocbuilder.su/tsa.php.

@Manouchehri

Double checked and it looks like the ncipher link is purely a timestamping server to be accessed via software like openssl and not a web site based service like freetsa, so simply putting the base address in a browser yields a "no page found" error, but it resolves fine in tracert.

Looks like http://timestamp.globalsign.com/scripts/timstamp.dll is now paid product.

GlobalSign's trusted timestamping Software as a Service (SaaS) provides a low cost and easy method

http://tsa.startssl.com/rfc3161
http://tsp.iaik.tugraz.at/tsp/TspRequest
Can be removed from the list. While they get sign successfully, they aren't trusted by windows.

It appears that http://timestamp.verisign.com/scripts/timstamp.dll no longer functions.

Edit: The downtime of the verisign service was temporary, and it came back online a few hours after going down.

I tried using 1st URL (symantec) but it did not work.
I want to sign the exe file using SHA256. And I'm using C# language.
Is there any other URL which can be used for SHA256?
Please help.. Its urgent.
Thanks in advance!!!

Digicert has announced that the former Verisign and Symantec time stamping services are deprecated; see [https://knowledge.digicert.com/alerts/migration-of-legacy-verisign-and-symantec-time-stamping-services.html] for their announcement. The three services timestamp.verisign.com/scripts/timstamp.dll, sha1timestamp.ws.symantec.com/sha1/timestamp, and sha256timestamp.ws.symantec.com/sha256/timestamp will go offline on or about Oct 31, 2019. They provide timestamp.digicert.com as the recommended replacement.

@RPaulProxy Thanks for the heads up, I've removed those two from my list.

I think long term it'd be a good idea to put this list into a library like https://github.com/trbs/rfc3161ng where URLs could be tested automatically.

I'm finding a free TSA that optimized for Asia users.
Do you know any?

(All above servers take at least 200ms for a ping response)

PS: The first server I've found is: http://tsa.wotrus.com (~75ms)

This works fine Thanks mate

Anyone here has any experience with a Philippine-based TSA?

FreeTSA does not work in Adobe Acroboat. FreeTSA just gives an error message, then Adobe grabs time from the own computer.

For many of the above TSAI get I validation error (in Adobe Acrobat PRO) that
"The signature includes an embedded timestamp but it could not be verified".
I get this validation error for:
http://zeitstempel.dfn.de
https://tsp.iaik.tugraz.at/tsp/TspRequest
http://time.certum.pl
http://dss.nowina.lu/pki-factory/tsa/good-tsa
http://time.certum.pl
http://timestamp.digicert.com

Are there any free/open TSAs that yield verifiable timestamps?

@JohanVeBe Try http://timestamp.digicert.com. That's likely a CA you already have whitelisted.

@JohanVeBe Try http://timestamp.digicert.com. That's likely a CA you already have whitelisted.

Thanks!
Yes, that one works!

Hi Everyone :) Just giving feedback in the latest list of Timestamping Servers, using Foxit Reader v9.7.2, located here in the Philippines on the PLDT network:

1. Works with actual name displayed:

http://time.certum.pl
http://timestamp.comodoca.com/rfc3161
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.globalsign.com/scripts/timstamp.dll
added: http://tsa.wotrus.com

2. Works, but does not display signers name or wrong signers name displayed:

http://timestamp.apple.com/ts01
http://timestamp.digicert.com
https://ca.signfiles.com/tsa/get.aspx
http://tsa.startssl.com/rfc3161
https://freetsa.org

3. Does not work either network anomaly or corrupt PDF:

https://timestamp.geotrust.com/tsa
http://timestamp.wosign.com
http://dse200.ncipher.com/TSS/HttpTspServer
http://tsa.safecreative.org
http://zeitstempel.dfn.de
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest

@Manouchehri
http://rfc3161timestamp.globalsign.com/advanced
Globalsign also has a new URL

@jmk92: Thanks! Before I add it to the list, what's the difference between http://rfc3161timestamp.globalsign.com/advanced and http://timestamp.globalsign.com/scripts/timstamp.dll?

@Manouchehri
There's actually another one http://timestamp.globalsign.com/?signature=sha2

1. http://timestamp.globalsign.com/scripts/timstamp.dll
2. http://timestamp.globalsign.com/?signature=sha2
3. http://rfc3161timestamp.globalsign.com/advanced
   They use different signature algorithms, 1 for SHA1, 2 and 3 for sha256, which are also different certificate chains.

1)GlobalSign Root CA ----GlobalSign Timestamping CA - G2----GlobalSign TSA for Standard - G2
2)GlobalSign----GlobalSign Timestamping CA - SHA256 - G2----GlobalSian TSA for Advanced - G2
3)GlobalSign----GlobalSign Timestamping CA - SHA256 - G2----GlobalSign TSA for Advanced - G3 - 003-01

1 and 2 are the same timestamp.globalsign.com , DNS resolution, the vast majority of which was given to cloudflare, and a small part to fastly.com , part of China has been handed over to aliyun CDN (but recently HTTP 403 is not available in China)

DNS of 3 only resolves to cloudflare, and the stability is not necessarily worse than 1 and 2, everyone needs to actually test availability and speed based on their geographic location, I am used to MTR, compare loss and delay

http://timestamp.comodoca.com/rfc3161 is failing with Microsoft signtool right now. Changing server fixes it.

@hmoffatt

I just tested that signool can be used. I saw that your geographical location is Australia, so I started the test with multiple servers. There is no problem with the network. I guess it may be related to your signool settings.

Sectigo (comodoca) on May 31, Authenticode's timestamp certificate expired, so Authenticode cannot be used for signature, but it can be signed by using rfc3161, because they are different certificate chains. I think you may have this problem. Try changing the signtool parameter, adding / TD sha256, and forcing rfc3161

@jmk92 aha possibly because I am signing sha1 (then we sign sha256 next). I switched to timestamp.digicert.com.

@hmoffatt I just tested that I can use sectigo (comodoca) double signature. It is OK for sha1 and sha256 to use it. The certificate is: Sectigo RSA Time Stamping Signer #1

@jmk92

signtool sign /v /f "my.p12" /p "mypassword" /tr "http://timestamp.comodoca.com/authenticode" /du "http://mydomain.com/" /fd sha1 "my.exe"
The following certificate was selected:

Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146869243/0x80096005)

@hmoffatt
signtool sign /v /f "my.p12" /p "mypassword" /td sha256 /tr "http://timestamp.comodoca.com/rfc3161" /du "http://mydomain.com/" /fd sha1 "my.exe"

You try this, I added the / TD option, as well as the URL. In fact, sectigo (comodoca) can be used without / rfc3161. direct http://timestamp.comodoca.com , or http://timestamp.sectigo.com

Thanks that is working. It also works with the timestamp.digicert.com server, which is faster for me than the comodoca.com server.

timestamp.globalsign.com Some time ago, due to the problem of CDN configuration in China, it could not be used. Now it has been fixed by them. Now it can be used normally in China

Thank you to @hmoffatt for bringing this up and to @jmk92 for explaining the problem and showing the solution. My automated builds suddenly started failing a couple weeks ago with a cryptic "SignTool internal error", which some suggested could be related to RFC time-stamping server, and indeed adding /td sha256 to signtool.exe command line worked. I'm using the http://timestamp.comodoca.com/rfc3161 server.

I still wonder what has changed, though. Did Comodo start defaulting to SHA-1 instead of SHA-256? Or did Signtool start requiring SHA-256 which previously was not a requirement? But signtool.exe didn't change, I literally have it in my repository under version control.

Although it is still under development, it is a service to put a time stamp on PDF, Image, Web page. It's still free now, so try it! (URL may change in the future)
I would be happy if you could give me your impressions.

https://ezts.net/

Tell me if you know the CA on the Adobe Approved Trust List that will sign your self-signed TSA certificate at a low cost.

Thank you to @hmoffatt for bringing this up and to @jmk92 for explaining the problem and showing the solution. My automated builds suddenly started failing a couple weeks ago with a cryptic "SignTool internal error", which some suggested could be related to RFC time-stamping server, and indeed adding /td sha256 to signtool.exe command line worked. I'm using the http://timestamp.comodoca.com/rfc3161 server.

I still wonder what has changed, though. Did Comodo start defaulting to SHA-1 instead of SHA-256? Or did Signtool start requiring SHA-256 which previously was not a requirement? But signtool.exe didn't change, I literally have it in my repository under version control.

Sectigo/Comodo acknowledged that there’s an issue with their time stamping server:

Thank you for contacting Sectigo Technical support. We are sorry for the delay in response. Yes, there is a issue with the timestamp server and our team is investigating the issue. We will get back to you with an update at earliest.

I am using Microsoft MSIX packaging tool which just stopped working with http://timestamp.comodoca.com/ recently.

@Manouchehri I found another one http://tsa.starfieldtech.com/

As per this they recommend to use http://timestamp.sectigo.com

we recommend you use a time stamp from http://timestamp.sectigo.com instead of http://timestamp.comodoca.com.

Verify TSA with openssl

touch test.txt
openssl ts -query -data test.txt -cert -sha256 -no_nonce -out request.tsq
cat request.tsq | curl -sSL -H 'Content-Type: application/timestamp-query' --data-binary @- http://timestamp.sectigo.com -o response.tsr
openssl ts -reply -in response.tsr -text