Follow the steps below to issue a timestamping certificate using the Certificate Authorities solution provided by PKI Hub.

Creating a Certificate Authority to issue timestamping certificates

Follow the steps described in Starting up Certificate Authorities to create:

Creating a timestamping certificate request

Create a CA Gateway certificate enrollment request – for example: 

{
"csr": "MIIDVzCCAb8...",
"profileId": "wstep-digital-signature",
  "requiredFormat": {
"format": "X509"
},
"optionalCertificateRequestDetails": {
"extensions": [
{
"oid": "2.5.29.37",
"critical": true,
"value": "MAoGCCsGAQUFBwMI"
}
],
"validity_period": "2024-11-06T13:00Z/2026-07-06T13:00:00Z"
}
}

See below for the values required by each request field.

Field

Line

Value

​csr

​2

The base64-encoded Certificate Signing Request previously generated in Generating a timestamping key pair as a single line.

extensions

8

The same fields and values as in the above example (to select the timestamping extended key usage). 

validity_period

15

The validity period for the issued certificate. The expiry date in this period cannot exceed the expiry date of the issuing CA certificate. 

Processing the timestamping certificate request

See below for processing the timestamping certificate request and obtaining the issued certificate. 

To process the timestamping certificate request

  1. Use a REST client to process the request as explained in Issuing certificates with a REST client.
  2. Edit the REST response and copy the base64-encoded string in the body field. 
  3. Save the string in a file with the  -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters – for example: 
    -----BEGIN CERTIFICATE-----
    MIIIcDCCBligAwIBAgITMwEf/Fvr7NDwanyeRAAAAR/8WzANBgkqhkiG9w0BAQwF
    ADBdMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
    ...
    UdO85g==
    -----END CERTIFICATE-----
  4. Use this certificate file as the TSA certificate when configuring the solution.