Skip to content

Instantly share code, notes, and snippets.

@Manouchehri
Last active October 7, 2024 07:43
Show Gist options
  • Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
List of free rfc3161 servers.
https://rfc3161.ai.moda
https://rfc3161.ai.moda/adobe
https://rfc3161.ai.moda/microsoft
https://rfc3161.ai.moda/apple
https://rfc3161.ai.moda/any
http://rfc3161.ai.moda
http://timestamp.digicert.com
http://timestamp.globalsign.com/tsa/r6advanced1
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.sectigo.com
http://timestamp.apple.com/ts01
http://tsa.mesign.com
http://time.certum.pl
https://freetsa.org
http://tsa.startssl.com/rfc3161
http://dse200.ncipher.com/TSS/HttpTspServer
http://zeitstempel.dfn.de
https://ca.signfiles.com/tsa/get.aspx
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.acs.microsoft.com
@ErikKnowles
Copy link

Symantec's timestamp server appears to be defunct. See this.

@dallmair
Copy link

We switched to the Azure Code Signing timestamp server: http://timestamp.acs.microsoft.com

@Manouchehri
Copy link
Author

Would it be possible to have a list with links to root certificates of all active CAs used for https://rfc3161.ai.moda/[*] so we could download them?

I've exposed https://rfc3161.ai.moda/servers.json for now, does that work or still not quite?

@Manouchehri
Copy link
Author

We switched to the Azure Code Signing timestamp server: http://timestamp.acs.microsoft.com

Thanks, I've added that one for Windows signing on https://rfc3161.ai.moda!

@vasekkral
Copy link

vasekkral commented Sep 3, 2024

Would it be possible to have a list with links to root certificates of all active CAs used for https://rfc3161.ai.moda/[*] so we could download them?

I've exposed https://rfc3161.ai.moda/servers.json for now, does that work or still not quite?

I mean list of URLs to all CAs root certificates so we can download them and put to trusted list.
I can find one for ssl.com for example: https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/#ftoc-heading-4

But where can I find CA root certificate for TSA http://timestamp.acs.microsoft.com

The thing is we cannot make proper TSA request without having it's CA root certificate in local trusted list.
When the TSA can be done with any server from the list https://rfc3161.ai.moda/servers.json (thanks, that's quite nice), we need to have all root certificates in one place.

@Pique7
Copy link

Pique7 commented Sep 8, 2024

Hello! What can these servers be used for? Are they suitable for productive systems?
I am currently looking for a solution to sign log entries with some kind of trusted timestamp.

@Manouchehri
Copy link
Author

@Pique7 You can use them for anything, many folks are using https://rfc3161.ai.moda in production. We serve a few million requests per month now I think, with higher uptime than the majority of any single RFC3161 server (since we have automatic failovers).

@chimmmpie
Copy link

How can i verify the timestamp? I get a response from a random server. But i also would like to verify this response locally. But for that i need CA and intermediate files i think. Could u also expose those/add them to the server list? I assume your backend has them in order to verify the response. Bonus for a example command :)

@paris-ci
Copy link

paris-ci commented Oct 4, 2024

@chimmmpie I have made a script that extracts the .cer / .crt from a timestamping service

#!/usr/bin/env bash

set -o errexit
set -o nounset
set -o pipefail

# Check that we have the name of the TSA service as a first arg and the URL as a second arg
if [ "$#" -ne 2 ]; then
    echo "Illegal number of parameters"
    echo "Usage: $0 <TSA_URL> <TSA_NAME>"
    exit 1
fi

TSA_URL=$1
TSA_NAME=$2

echo "==> We are trying to get the TSA certificate from the following service : $TSA_NAME ($TSA_URL)"

echo "==> Sending a signature request..."
openssl rand 256 | openssl ts -query -data - -cert -sha256 | curl -s -S --data-binary @- "$TSA_URL" --header "Content-Type: application/timestamp-query" -o - -v > "$TSA_NAME.reply.tsr"

echo "==> Verifying the response..."
openssl ts -reply -text -in "$TSA_NAME.reply.tsr" || (echo "==> Verification failed :" && cat "$TSA_NAME.reply.tsr" && rm "$TSA_NAME.reply.tsr" && exit 1)

echo "==> Extracting the token..."
openssl ts -reply -in "$TSA_NAME.reply.tsr" -token_out -out "$TSA_NAME.token.tk"

echo "==> Extracting the TSA certificate..."
openssl pkcs7 -inform DER -in "$TSA_NAME.token.tk" -print_certs -outform PEM -out "$TSA_NAME.cer"

echo "==> Extracting the TSA certificate as a .crt..."
openssl x509 -inform PEM -in "$TSA_NAME.cer" -out "$TSA_NAME.crt"

rm "$TSA_NAME.reply.tsr" "$TSA_NAME.token.tk"

Call it like ./request_crt.sh http://timestamp.acs.microsoft.com/ microsoft to get everything in microsoft.crt

@vasekkral
Copy link

I have made a script that extracts the .cer / .crt from a timestamping service

Thanks, that is great!

Would it be possible to make version of the script that downloads all certs for servers provided by https://rfc3161.ai.moda/servers.json?

@chimmmpie
Copy link

chimmmpie commented Oct 7, 2024

@chimmmpie I have made a script that extracts the .cer / .crt from a timestamping service

That looks interesting. But it would suggest to me that the cert is already in the response? Or does anyone think that some of the openssl commands will fetch it in the background?

@paris-ci
Copy link

paris-ci commented Oct 7, 2024

The -certpart in openssl ts -query -data - -cert -sha256 asks the TSA to return its cert as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment