Skip to content

Instantly share code, notes, and snippets.

@Manouchehri
Last active December 4, 2024 17:25
Show Gist options
  • Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
List of free rfc3161 servers.
https://rfc3161.ai.moda
https://rfc3161.ai.moda/adobe
https://rfc3161.ai.moda/microsoft
https://rfc3161.ai.moda/apple
https://rfc3161.ai.moda/any
http://rfc3161.ai.moda
http://timestamp.digicert.com
http://timestamp.globalsign.com/tsa/r6advanced1
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.sectigo.com
http://timestamp.apple.com/ts01
http://tsa.mesign.com
http://time.certum.pl
https://freetsa.org
http://tsa.startssl.com/rfc3161
http://dse200.ncipher.com/TSS/HttpTspServer
http://zeitstempel.dfn.de
https://ca.signfiles.com/tsa/get.aspx
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.acs.microsoft.com
@elbosso
Copy link

elbosso commented Apr 3, 2021

Hey Guys, i'm new in java and i want someone to help me. i need to know how to implement a Timestamp method/function using these TSA...
i want to know how to timestamp files.
Thank you.

Well - you can try and have a look at https://github.com/elbosso/rfc3161client

@go2ready
Copy link

go2ready commented Apr 21, 2021

Hi guys, I just found a new free TSA. http://tsa.mesign.com
I found it from their website: https://www.mesign.com/en-us/tsa/index.html
Hope this helps.

@sln162
Copy link

sln162 commented May 4, 2021

@go2ready It cannot be used for program signing.

@Neepawa
Copy link

Neepawa commented Jun 8, 2021

I did a complete review of every site on this list by trying to connect to them using elinks, a text-mode browser. Here are my results:

https://freetsa.org
-- YES! THIS ONE ACTUALLY WORKS!
-- It gives detailed instructions on how to use it with the OpenSSL toolset
-- Has a form where you can give data to the browsers, which will send a hash to their server

http://timestamp.globalsign.com/scripts/timstamp.dll
http://timestamp.globalsign.com/?signature=sha2
http://rfc3161timestamp.globalsign.com/advanced
-- These sites all bring up the same page. It appears they no longer offer a free service.

https://timestamp.geotrust.com/tsa
-- Timed out

http://timestamp.sectigo.com
-- No longer a free service; must sign up for a trial. Their only link to a client application is from Microsoft.

http://timestamp.wosign.com
http://tsa.startssl.com/rfc3161
-- These two timed out with no output.

http://time.certum.pl
-- Retured the following output:
Time Stamp Service Version 2.0
Can only POST to TSA server.

http://timestamp.digicert.com
-- No ouput. Digicert no longer appears to offer anything for free, not even email sigining.

http://dse200.ncipher.com/TSS/HttpTspServer
-- Timed out; no output

http://tsa.safecreative.org
-- Page indicates the service is shutting down in July 2021

http://zeitstempel.dfn.de
-- Page returns the following text (from elinks):
DFN-Verein Kontakt und Support
Fehler
Ein Fehler ist aufgetreten.
Mit freundlichen Grüßen
Ihr DFN-PKI-Team
Impressum

https://ca.signfiles.com/tsa/get.aspx
-- Connect successfully; got back the following:
RFC 3161 and Autheticode TSA Server

http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
-- Both pages failed to respond; I had to kill elinks

http://timestamp.apple.com/ts01
-- Returns a page with a list of Apple's certificates

http://timestamp.entrust.net/TSS/RFC3161sha2TS
-- Connect successfully but got no output. It might be expecting POST data.

http://tsa.starfieldtech.com/
-- Site no longer exists

@Neepawa
Copy link

Neepawa commented Jun 8, 2021

David, it appears you're actively maintaining the list. I'd like to suggest you add text to the gist indicating when was the last time you updated it.

@Outtay
Copy link

Outtay commented Jun 9, 2021

@Neepawa
Pretty sure that this is not the way to test if they work or not. I'm still not entirely sure how to easily fully verify if the services are working, but if you look at freetsa.org in the "Basics: TCP-based client" it shows how the services can be talked to via openssl and curl.
Then you can see in the resulting tsr file whether it worked and so for example http://timestamp.digicert.com seems to output valid data. And so does http://rfc3161timestamp.globalsign.com/advanced

@Siebje
Copy link

Siebje commented Jun 15, 2021

Note that there is a new GlobalSign URL:
http://timestamp.globalsign.com/tsa/r6advanced1

I just used it and it works for me. The other GlobalSign URLs seem to be dead indeed.

@DarkIrata
Copy link

Don't use https://ca.signfiles.com/tsa/get.aspx
It is a demo server with open configuration.

More informations: https://www.signfiles.com/timestamping/

@JohnPlanetary
Copy link

JohnPlanetary commented Jul 12, 2021

As of 27-AUGUST-2024 here are the TSA that I know work and are available for real use.
Do your own investigation in order to find if any is appropriate for your use case.
"Credible" information is personal opinion based on information that I found, doesn't mean that the service is not credible at least in certain jurisdictions.

Digicert:
http://timestamp.digicert.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512

GlobalSign:
http://aatl-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512

Sectigo:
https://timestamp.sectigo.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA384
Working Hashes: SHA256, SHA384, SHA512
Note: wait 15 seconds between each request.

Sectigo EU Qualified:
https://timestamp.sectigo.com/qualified
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Note: wait 15 seconds between each request.

Entrust:
http://timestamp.entrust.net/TSS/RFC3161sha2TS
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512

SwissSign:
http://tsa.swisssign.net
Credible: Yes. [Adobe Approved Trust List].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA512
Note: only 10 requests per day. For bigger quantities contact the company.

QuoVadis + Digicert:
http://ts.quovadisglobal.com/ch
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512

QuoVadis + Digicert [EU]:
http://ts.quovadisglobal.com/eu
Credible: Yes. [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512

SSL.COM:
http://ts.ssl.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512

IdenTrust:
http://timestamp.identrust.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512

Belgium Federal Goverment:
http://tsa.belgium.be/connect
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512

IRN:
http://ts.cartaodecidadao.pt/tsa/server
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256
Note: only allows 20 requests in 20 minutes, if more requests are done the IP address will be blocked and legal consequences may happen.

ACCV:
http://tss.accv.es:8318/tsa
Credible: Yes. [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
Note: personal use only. For commercial use contact the entity.

BalTstamp:
http://tsa.baltstamp.lt
Credible: Yes. [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA256, SHA384, SHA512
Working Hashes: SHA256, SHA384, SHA512
Note: only allows 100 requests per each month per IP.

APED:
https://timestamp.aped.gov.gr/qtss
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512

SEP Bulgaria:
http://tsa.sep.bg
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512

IZENPE:
http://tsa.izenpe.com
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512

CERTUM:
http://time.certum.pl
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA384
Working Hashes: SHA256, SHA384, SHA512

GlobaSign:
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.globalsign.com/tsa/r6advanced1
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512

Microsoft
http://timestamp.acs.microsoft.com
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256, SHA384, SHA512
Working Hashes: SHA256, SHA384, SHA512

Apple:
http://timestamp.apple.com/ts01
Credible: Yes. [Apple CA].
Server returns the expected hash value for: SHA1
Working Hashes: SHA1, SHA256, SHA384, SHA512

Trustwave:
http://timestamp.ssl.trustwave.com
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512

Free TSA:
https://freetsa.org/tsr
Credible: No.
Server returns the expected hash value for: SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512

DFN:
http://zeitstempel.dfn.de
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Note: commercial use forbidden.

CatCert:
http://psis.catcert.cat/psis/catcert/tsp
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA1
Working Hashes: SHA1, SHA256, SHA384, SHA512

Codegic:
https://pki.codegic.com/codegic-service/timestamp
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512

MeSign:
https://tsa.mesign.com
Credible: Yes. [Adobe Approved Trust List].
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512

WoTrus:
https://tsa.wotrus.com
Credible: Yes. [Adobe Approved Trust List].
Server returns the expected hash value for: SHA1, SHA256
Working Hashes: SHA1, SHA256
Note: wait 15 seconds between each request.

Lex-Persona:
http://tsa.lex-persona.com/tsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512

Cesnet:
(ESSCertIDv2:)
https://tsa.cesnet.cz:5817/tsa
http://tsa.cesnet.cz:5816/tsa
(ESSCertID:)
https://tsa.cesnet.cz:3162/tsa
http://tsa.cesnet.cz:3161/tsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512

Free TSA Server www.signfiles.com:
http://ca.signfiles.com/TSAServer.aspx
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512

chain-provider.com:
http://aloahacoin.chain-provider.com/tsa.aspx
Credible: No.
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512

TSA-SINPE:
http://tsa.sinpe.fi.cr/tsaHttp/
Credible: No.
Server returns the expected hash value for: SHA256, SHA512
Working Hashes: SHA256, SHA512

Mahidol University - TSA:
https://tsa.mahidol.ac.th/tsa/get.aspx
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512

SDA GOV GE:
http://tsa.cra.ge/signserver/tsa?workerName=qtsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512

CNBS:
http://tss.cnbs.gob.hn/TSS/HttpTspServer
Credible: No.
Server returns the expected hash value for: SHA1, SHA256
Working Hashes: SHA1, SHA256

MConnect - Monaco:
https://time.mconnect.mc
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256

@LukeSesame
Copy link

Hello everyone, could i know how you verified that ? do you use any Java program to verify those links ???
Thank you

@tostercx
Copy link

tostercx commented Oct 28, 2021

http://tsa.baltstamp.lt

In EU trust list, up to SHA512

Limitation applies to non-registered users: no more than 100 requests within one month; the beginning and the end of the month are defined in UTC time.

@Sean-creative
Copy link

It helped me a lot. Thank you :)

@Manouchehri
Copy link
Author

I've added my experimental load balancer to this list. Hopefully, the first URL should "just work" for most applications like Adobe, but you can specify the type of service by appending it to the URL too.

@venerguevarra
Copy link

This http://tsa.starfieldtech.com/ doesn't work anymore

@Manouchehri
Copy link
Author

You're right, thanks. Removed it from the list completely.

dave@mbp ~ % dig tsa.starfieldtech.com @8.8.8.8 +tcp

; <<>> DiG 9.10.6 <<>> tsa.starfieldtech.com @8.8.8.8 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20019
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;tsa.starfieldtech.com.		IN	A

;; AUTHORITY SECTION:
starfieldtech.com.	1614	IN	SOA	cns1.secureserver.net. dns.jomax.net. 2023011200 3600 600 1209600 3600

;; Query time: 60 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 27 15:33:35 EST 2023
;; MSG SIZE  rcvd: 117

@venerguevarra
Copy link

@Manouchehri Thank you. I think the list should also not contain the following as they are not working anymore

@Manouchehri
Copy link
Author

You are correct. My team had already removed those from our rfc3161.ai.moda load balancer, but I forgot to update the list here too.

@karelbilek
Copy link

@vasekkral
Copy link

vasekkral commented Nov 21, 2023

http://ts.ssl.com

Is there link to certificate(s) that are used for the TimeStamp? We need to put them into trusted list.

Found here: https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/

@karelbilek
Copy link

@JohnPlanetary WOW thanks for that list, it really helped.

@JohnPlanetary
Copy link

@JohnPlanetary WOW thanks for that list, it really helped.

Happy for having been useful.

@mherrmann
Copy link

Do https:// URLs actually work for anyone with signtool? I'm getting:

SignTool Error: Invalid Timestamp URL: https://...

Both for signtool /t and for signtool /tr.

@JohnPlanetary
Copy link

I've tried the https:// url's and no, it is not working, it appears the same error.

SignTool sign /fd SHA512 /a /f certificate.pfx /p MYPASSWORD /td SHA384 /tr https://timestamp.sectigo.com c:\sign\MyProgram.exe
SignTool Error: Invalid Timestamp URL: https://timestamp.sectigo.com

The good news is that the http:// still works fine, and most common TimeStamp servers don't even have the https:// version working at all.
But I'm sure the https version did work fine on the past, some update to Windows must have messed up things.

I've had the Windows SDK signing tool 10.0.19041.0, but even in the latest 10.0.22621.0 that I downloaded from: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/ still doesn't work, so isn't just a question of updating the tool, unfortunately something else probably needs to be changed by Microsoft.

@Manouchehri
Copy link
Author

My http://rfc3161.ai.moda load balancer should work fine over HTTP. I didn’t add it to the list because I want to encourage everyone to use HTTPS, but it works fine if you must use HTTP.

@danvy
Copy link

danvy commented May 30, 2024

My http://rfc3161.ai.moda load balancer should work fine over HTTP. I didn’t add it to the list because I want to encourage everyone to use HTTPS, but it works fine if you must use HTTP.

@Manouchehri Could you explain what's behind this service ?

@Manouchehri
Copy link
Author

Could you explain what's behind this service ?

@danvy It's a load balancer that:

  1. Response validation of the timestamp reply before returning it to you.
  2. Automatic retrying. e.g. if one of the upstream servers returns an invalid timestamp reply, we automatically return the next valid response from the next server.
  3. Fans out to multiple trusted timestamping servers in parallel. The two steps above happen in multiple threads, so you will always get the fastest response possible, even if the first upstream CA returns us an error (you won't see the error, we handle that).
  4. Allow CORS requests.
  5. We update the upstream CAs in our list server-side. i.e. You should never need to update your RFC3161 URL in your application if you use any of the https://rfc3161.ai.moda/[*] URLs. e.g. today I noticed that IDnomic/Keynectis took their server down, but we already had 7 fallbacks for https://rfc3161.ai.moda/adobe and 8 fallbacks for https://rfc3161.ai.moda/windows, so it resulted in zero downtime for anyone.

Out of 1.33 million requests this month, we've had 60 errors. So roughly a 99.995% success rate.

@itdevwu
Copy link

itdevwu commented Jul 7, 2024

Hi, @Manouchehri. I wonder if there is any document discribing diffrences between each suffix of https://rfc3161.ai.moda/[*]?

@rschultheis
Copy link

Hello users of Trusted Timestamps. I would like to add my own site to the list: https://timestampit.com/. TimeStampIt! is a TSA and it is only a TSA. We do not however offer RFC3161 timestamps, but a new design based on plain text encoded trusted timestamps. I built it because a) RFC3161 timestamps are not easy to work with, and b) there really was not a good dedicated TSA that felt like I could build a commercial application on top of.

It is brand new and experimental. I would love any feedback you might have on it! info at timestampit dot com 💚. If there is enough demand I could even add support for RFC3161 timestamps. But honestly I would rather keep innovating in other directions.

@Manouchehri
Copy link
Author

@rschultheis RFC3161 is super easy to work with, lots of programs support it out of the box. I've been using it for years on all of my important PDFs, even those non-technical can see the timestamps easily.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment