Skip to content

Instantly share code, notes, and snippets.

@Manouchehri

Manouchehri/rfc3161.txt

Last active May 23, 2025 07:17
Show Gist options
  • Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
Download ZIP
List of free rfc3161 servers.
Raw
rfc3161.txt
https://rfc3161.ai.moda
https://rfc3161.ai.moda/adobe
https://rfc3161.ai.moda/microsoft
https://rfc3161.ai.moda/apple
https://rfc3161.ai.moda/any
http://rfc3161.ai.moda
http://timestamp.digicert.com
http://timestamp.globalsign.com/tsa/r6advanced1
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.sectigo.com
http://timestamp.apple.com/ts01
http://tsa.mesign.com
http://time.certum.pl
https://freetsa.org
http://tsa.startssl.com/rfc3161
http://dse200.ncipher.com/TSS/HttpTspServer
http://zeitstempel.dfn.de
https://ca.signfiles.com/tsa/get.aspx
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.acs.microsoft.com
@kashmirix
Copy link

kashmirix commented Mar 12, 2025
edited
Loading

rfc3161 timestamping servers – March 2025 update

[#] = LTV (long-term validity) enabled
[*] = increased sigvalue size; if using Adobe Acrobat on Windows, a registry modification may be required in accordance with these instructions

Working

QUALIFIED (EU Trust List)

http://tss.accv.es:8318/tsa [#]
https://timestamp.aped.gov.gr/qtss [*]
http://tsa.baltstamp.lt [#]
http://tsa.belgium.be/connect [#]
http://ts.cartaodecidadao.pt/tsa/server [LTV]
http://ts.quovadisglobal.com/eu [# *]
http://tsa.izenpe.com [#]
http://timestamp.sectigo.com/qualified

TRUSTED (Adobe Trust List)

http://rfc3161.ai.moda (and other URL variants) [*]
http://timestamp.digicert.com
http://timestamp.comodoca.com (and other URL variants) [*]
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.identrust.com
http://ts.quovadisglobal.com/ch [*]
http://timestamp.sectigo.com
http://ts.ssl.com
http://tsa.swisssign.net [*]
https://tsa.wotrus.com

UNTRUSTED

http://timestamp.apple.com/ts01
http://time.certum.pl [*]
https://tsa.cesnet.cz:3162/tsa
http(s)://zeitstempel.dfn.de [*]
http://tsa.sinpe.fi.cr/tsaHttp/ (trailing slash required)
http://timestamp.globalsign.com/advanced (and other URL variants)
https://freetsa.org/tsr
http://tsa.lex-persona.com/tsa
https://tsa.mahidol.ac.th/tsa/get.aspx
https://time.mconnect.mc
http://timestamp.acs.microsoft.com
http://dss.nowina.lu/pki-factory/tsa/good-tsa
http://timestamp.ssl.trustwave.com

Not working

http://psis.catcert.cat/psis/catcert/tsp (timeout)
http://tsa.mesign.com (timeout/crash, likely moved to https://tsa.wotrus.com)
http://tsa.safecreative.org (timeout/crash)
http://tsa.sep.bg (timeout/gone)
http://sha256timestamp.ws.symantec.com/sha256/timestamp (timeout/error)
https://tsp.iaik.tugraz.at/tsp/TspRequest (error)

@TylerDurden2019
Copy link

As of a few days ago, http://timestamp.digicert.com no longer support SHA-512 or SHA-384 hashing algorithm for timestamping.
I'm using signtool.exe version 10.0.19041.685.

Using /td SHA512 or /td SHA384 now fails with http://timestamp.digicert.com but works with http://timestamp.sectigo.com:
Fails:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"

Works:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"

Using /td SHA256 works with http://timestamp.digicert.com:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA256 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"

@littleyoda
Copy link

littleyoda commented May 15, 2025
edited
Loading

Can someone tell me how I can verify a timestamp from timestamp.acs.microsoft.com .

I have now tried various approaches, but somehow I seem to be missing the right root and intermediate certificates.

openssl ts -query -data "sample" -no_nonce -sha512 -cert -out file.tsq
curl -sH "Content-Type: application/timestamp-query" --data-binary "@file.tsq" http://timestamp.acs.microsoft.com  > ms.tsr
echo
echo "Verify (Not Certs)"
openssl ts -verify -in ms.tsr -queryfile file.tsq

echo
echo "Verify2 (MS Root Cert)"
curl -s http://www.microsoft.com/pkiops/certs/microsoft%20identity%20verification%20root%20certificate%20authority%202020.crt > mivra.crt
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile mivra.crt

echo
echo "Verify3 (Extract Cert)"
openssl ts -reply -in "ms.tsr" -token_out -out "ms.token.tk"
openssl pkcs7 -inform DER -in "ms.token.tk" -print_certs -outform PEM -out "ms.cer"
openssl x509 -inform PEM -in "ms.cer" -out "ms.crt"
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile ms.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Verify (Not Certs)
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
4037A577EA7E0000:error:17800064:time stamp routines:ts_verify_cert:
certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get local issuer certificate

Verify2 (MS Root Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Error loading file mivra.crt
Verification: FAILED
40E76D29C1730000:error:05800088:x509 certificate routines:
X509_load_cert_crl_file_ex:no certificate or crl found:../crypto/x509/by_file.c:251:

Verify3 (Extract Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
40170E69E4720000:error:17800064:time stamp routines:
ts_verify_cert:certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get issuer certificate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment