-
-
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
https://rfc3161.ai.moda | |
https://rfc3161.ai.moda/adobe | |
https://rfc3161.ai.moda/microsoft | |
https://rfc3161.ai.moda/apple | |
https://rfc3161.ai.moda/any | |
http://rfc3161.ai.moda | |
http://timestamp.digicert.com | |
http://timestamp.globalsign.com/tsa/r6advanced1 | |
http://rfc3161timestamp.globalsign.com/advanced | |
http://timestamp.sectigo.com | |
http://timestamp.apple.com/ts01 | |
http://tsa.mesign.com | |
http://time.certum.pl | |
https://freetsa.org | |
http://tsa.startssl.com/rfc3161 | |
http://dse200.ncipher.com/TSS/HttpTspServer | |
http://zeitstempel.dfn.de | |
https://ca.signfiles.com/tsa/get.aspx | |
http://services.globaltrustfinder.com/adss/tsa | |
https://tsp.iaik.tugraz.at/tsp/TspRequest | |
http://timestamp.entrust.net/TSS/RFC3161sha2TS |
As of 16-MARCH-2024 here are the TSA that I know work and are available for real use.
Do your own investigation in order to find if any is appropriate for your use case.
"Credible" information is personal opinion based on information that I found, doesn't mean that the service is not credible at least in certain jurisdictions.
Digicert:
http://timestamp.digicert.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
GlobalSign:
http://aatl-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Sectigo:
https://timestamp.sectigo.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA384
Working Hashes: SHA256, SHA384, SHA512
Note: wait 15 seconds between each request.
Sectigo EU Qualified:
https://timestamp.sectigo.com/qualified
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Note: wait 15 seconds between each request.
Entrust:
http://timestamp.entrust.net/TSS/RFC3161sha2TS
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
SwissSign:
http://tsa.swisssign.net
Credible: Yes. [Adobe Approved Trust List].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA512
Note: only 10 requests per day. For bigger quantities contact the company.
Docusign:
http://kstamp.keynectis.com/KSign/
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
QuoVadis + Digicert:
http://ts.quovadisglobal.com/ch
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
QuoVadis + Digicert [EU]:
http://ts.quovadisglobal.com/eu
Credible: Yes. [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
SSL.COM:
http://ts.ssl.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
IdenTrust:
http://timestamp.identrust.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Belgium Federal Goverment:
http://tsa.belgium.be/connect
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
IRN:
http://ts.cartaodecidadao.pt/tsa/server
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256
Note: only allows 20 requests in 20 minutes, if more requests are done the IP address will be blocked and legal consequences may happen.
ACCV:
http://tss.accv.es:8318/tsa
Credible: Yes. [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
Note: personal use only. For commercial use contact the entity.
BalTstamp:
http://tsa.baltstamp.lt
Credible: Yes. [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA256, SHA384, SHA512
Working Hashes: SHA256, SHA384, SHA512
Note: only allows 100 requests per each month per IP.
APED:
https://timestamp.aped.gov.gr/qtss
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
SEP Bulgaria:
http://tsa.sep.bg
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
IZENPE:
http://tsa.izenpe.com
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
CERTUM:
http://time.certum.pl
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA384
Working Hashes: SHA256, SHA384, SHA512
Symantec:
http://sha256timestamp.ws.symantec.com/sha256/timestamp
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
GlobaSign:
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.globalsign.com/tsa/r6advanced1
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Republic of Estonia - Information System Authority:
http://dd-at.ria.ee/tsa
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA512
Working Hashes: SHA256, SHA384, SHA512
Note 1: personal use only.
Note 2: only allows 2000 requests per each month per IP.
Apple:
http://timestamp.apple.com/ts01
Credible: Yes. [Apple CA].
Server returns the expected hash value for: SHA1
Working Hashes: SHA1, SHA256, SHA384, SHA512
Trustwave:
http://timestamp.ssl.trustwave.com
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Free TSA:
https://freetsa.org/tsr
Credible: No.
Server returns the expected hash value for: SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
DFN:
http://zeitstempel.dfn.de
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Note: commercial use forbidden.
CatCert:
http://psis.catcert.cat/psis/catcert/tsp
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA1
Working Hashes: SHA1, SHA256, SHA384, SHA512
Codegic:
https://pki.codegic.com/codegic-service/timestamp
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
MeSign:
https://tsa.mesign.com
Credible: Yes. [Adobe Approved Trust List].
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
WoTrus:
https://tsa.wotrus.com
Credible: Yes. [Adobe Approved Trust List].
Server returns the expected hash value for: SHA1, SHA256
Working Hashes: SHA1, SHA256
Note: wait 15 seconds between each request.
Lex-Persona:
http://tsa.lex-persona.com/tsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Cesnet:
(ESSCertIDv2:)
https://tsa.cesnet.cz:5817/tsa
http://tsa.cesnet.cz:5816/tsa
(ESSCertID:)
https://tsa.cesnet.cz:3162/tsa
http://tsa.cesnet.cz:3161/tsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Free TSA Server www.signfiles.com:
http://ca.signfiles.com/TSAServer.aspx
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
chain-provider.com:
http://aloahacoin.chain-provider.com/tsa.aspx
Credible: No.
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
TSA-SINPE:
http://tsa.sinpe.fi.cr/tsaHttp/
Credible: No.
Server returns the expected hash value for: SHA256, SHA512
Working Hashes: SHA256, SHA512
Mahidol University - TSA:
https://tsa.mahidol.ac.th/tsa/get.aspx
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
SDA GOV GE:
http://tsa.cra.ge/signserver/tsa?workerName=qtsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
CNBS:
http://tss.cnbs.gob.hn/TSS/HttpTspServer
Credible: No.
Server returns the expected hash value for: SHA1, SHA256
Working Hashes: SHA1, SHA256
MConnect - Monaco:
https://time.mconnect.mc
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256
Hello everyone, could i know how you verified that ? do you use any Java program to verify those links ???
Thank you
In EU trust list, up to SHA512
Limitation applies to non-registered users: no more than 100 requests within one month; the beginning and the end of the month are defined in UTC time.
It helped me a lot. Thank you :)
I've added my experimental load balancer to this list. Hopefully, the first URL should "just work" for most applications like Adobe, but you can specify the type of service by appending it to the URL too.
This http://tsa.starfieldtech.com/ doesn't work anymore
You're right, thanks. Removed it from the list completely.
dave@mbp ~ % dig tsa.starfieldtech.com @8.8.8.8 +tcp
; <<>> DiG 9.10.6 <<>> tsa.starfieldtech.com @8.8.8.8 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20019
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;tsa.starfieldtech.com. IN A
;; AUTHORITY SECTION:
starfieldtech.com. 1614 IN SOA cns1.secureserver.net. dns.jomax.net. 2023011200 3600 600 1209600 3600
;; Query time: 60 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 27 15:33:35 EST 2023
;; MSG SIZE rcvd: 117
@Manouchehri Thank you. I think the list should also not contain the following as they are not working anymore
You are correct. My team had already removed those from our rfc3161.ai.moda
load balancer, but I forgot to update the list here too.
Is there link to certificate(s) that are used for the TimeStamp? We need to put them into trusted list.
Found here: https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/
@JohnPlanetary WOW thanks for that list, it really helped.
@JohnPlanetary WOW thanks for that list, it really helped.
Happy for having been useful.
Do https://
URLs actually work for anyone with signtool
? I'm getting:
SignTool Error: Invalid Timestamp URL: https://...
Both for signtool /t
and for signtool /tr
.
I've tried the https:// url's and no, it is not working, it appears the same error.
SignTool sign /fd SHA512 /a /f certificate.pfx /p MYPASSWORD /td SHA384 /tr https://timestamp.sectigo.com c:\sign\MyProgram.exe
SignTool Error: Invalid Timestamp URL: https://timestamp.sectigo.com
The good news is that the http:// still works fine, and most common TimeStamp servers don't even have the https:// version working at all.
But I'm sure the https version did work fine on the past, some update to Windows must have messed up things.
I've had the Windows SDK signing tool 10.0.19041.0, but even in the latest 10.0.22621.0 that I downloaded from: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/ still doesn't work, so isn't just a question of updating the tool, unfortunately something else probably needs to be changed by Microsoft.
My http://rfc3161.ai.moda load balancer should work fine over HTTP. I didn’t add it to the list because I want to encourage everyone to use HTTPS, but it works fine if you must use HTTP.
Don't use https://ca.signfiles.com/tsa/get.aspx
It is a demo server with open configuration.
More informations: https://www.signfiles.com/timestamping/