The Timestamping Authority (TSA) solution processes timestamp requests to provide proof that a digital document, message, or transaction:
- Existed at a specific point in time
- Has not been altered since that time
On a timestamping transaction:
- The client submits the hash of a document (never the document itself) in a timestamp request.
- The Timestamping Authority returns a DER-encoded timestamp token (CMS SignedData) that binds that hash to a trusted time value.
See below for the Timestamping Authority key capabilities.
Multiple timestamp issuers
A single deployment can host several independent TSA identities, each with its own signing key, certificate chain, and policy OID.
HSM integration
Timestamp Authority supports both file-based (PEM) signing keys and Hardware Security Modules via PKCS#11
Configurable padding scheme
Timestamp Authority supports both RSA and RSA-PSS signature padding schemes.
Configurable hash algorithms
Timestamp Authority supports the following hash algorithms.
- SHA-1 (supported for legacy compatibility)
- SHA-224
- SHA-256
- SHA-384
- SHA-512
Reliable time source
Timestamp Authority integrates with a clock-status service that monitors NTP synchronization.
When the clock error exceeds the configured threshold, the TSA returns a timeNotAvailable response until the clock is resynchronized, after which it resumes normal timestamp responses.
Standard compliance
Timestamping Authority is compliant with the following standards.
ID | Target | URL |
|---|---|---|
RFC 3161 | The format of a request sent to a Time Stamping Authority (TSA) and the response returned. | |
RFC 5816 | The | |
ETSI EN 319 421 | The optional ESI4 Qualified Timestamp Statement extension for eIDAS-qualified timestamps | https://www.etsi.org/deliver/etsi_en/319400_319499/319421/01.02.01_60/en_319421v010201p.pdf |
ETSI EN 319 422 | The time-stamping protocol and time-stamp token format based on RFC 3161 | https://www.etsi.org/deliver/etsi_en/319400_319499/319422/01.01.01_60/en_319422v010101p.pdf |