Skip to content

Instantly share code, notes, and snippets.

@Manouchehri

Manouchehri/rfc3161.txt

Last active June 16, 2025 13:20
Show Gist options
  • Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
Download ZIP
List of free rfc3161 servers.
Raw
rfc3161.txt
https://rfc3161.ai.moda
https://rfc3161.ai.moda/adobe
https://rfc3161.ai.moda/microsoft
https://rfc3161.ai.moda/apple
https://rfc3161.ai.moda/any
http://rfc3161.ai.moda
http://timestamp.digicert.com
http://timestamp.globalsign.com/tsa/r6advanced1
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.sectigo.com
http://timestamp.apple.com/ts01
http://tsa.mesign.com
http://time.certum.pl
https://freetsa.org
http://tsa.startssl.com/rfc3161
http://dse200.ncipher.com/TSS/HttpTspServer
http://zeitstempel.dfn.de
https://ca.signfiles.com/tsa/get.aspx
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.acs.microsoft.com
@Manouchehri
Copy link
Author

@vasekkral Sure. Note, these certificates do change over time.

#!/usr/bin/env bash

# Available cryptographic hash algorithms for timestamp requests
# These algorithms are tried sequentially until a successful response is received
hash_algorithms=(
    "sha512" "blake2b512" "blake2s256" "md4" "md5" "md5-sha1" "mdc2" "ripemd"
    "ripemd160" "rmd160" "sha1" "sha224" "sha256" "sha3-224" "sha3-256"
    "sha3-384" "sha3-512" "sha384" "sha512-224" "sha512-256" "shake128"
    "shake256" "sm3" "ssl3-md5" "ssl3-sha1" "whirlpool"
)

# Attempts to obtain a timestamp token from a TSA server using specified parameters
# Returns 0 on success, 1 on failure
try_timestamp_request() {
    local url="$1"          # TSA server endpoint
    local hash_algo="$2"    # Cryptographic hash algorithm
    local tmp_query="$3"    # Path to store the timestamp request
    local tmp_reply="$4"    # Path to store the server's response
    local tmp_token="$5"    # Path to store the extracted timestamp token

    # Process flow:
    # 1. Generate random data as input
    # 2. Create a timestamp query using the specified hash algorithm
    # 3. Send the query to the TSA server
    # 4. Extract the timestamp token from the response
    if openssl rand 512 | \
       openssl ts -query -data - -cert -"$hash_algo" > "$tmp_query" 2>/dev/null && \
       curl -H "Content-Type: application/timestamp-query" \
            -H "Accept: application/timestamp-reply" \
            -s -S --data-binary @"$tmp_query" "$url" -o "$tmp_reply" && \
       openssl ts -reply -in "$tmp_reply" -token_out -out "$tmp_token" 2>/dev/null; then
        return 0    # All operations completed successfully
    else
        return 1    # One or more operations failed
    fi
}

# Main processing loop: Retrieve and process TSA server information
curl -s https://rfc3161.ai.moda/servers.json | \
jq -r '.[] | {name: .name, url: .url} | @json' | \
while read -r line; do
    # Extract server details from JSON response
    name=$(echo "$line" | jq -r '.name')   # Server's friendly name
    url=$(echo "$line" | jq -r '.url')     # Server's API endpoint

    # Create filesystem-safe server name by removing special characters
    safe_name=$(echo "$name" | tr -c '[:alnum:]' '_' | tr -s '_' | sed 's/^_//;s/_$//')

    # Create temporary storage for request/response data
    tmp_query=$(mktemp)
    tmp_reply=$(mktemp)
    tmp_token=$(mktemp)

    success=false           # Tracks if any attempt succeeded
    successful_hash=""      # Records which hash algorithm worked

    # Try each hash algorithm until successful
    for hash_algo in "${hash_algorithms[@]}"; do
        echo "Trying $hash_algo for $name..."
        if try_timestamp_request "$url" "$hash_algo" "$tmp_query" "$tmp_reply" "$tmp_token"; then
            success=true
            successful_hash="$hash_algo"
            break
        fi
    done

    if [ "$success" = true ]; then
        # Extract and save the CA certificate from the successful response
        if openssl pkcs7 -inform DER -in "$tmp_token" -print_certs -outform PEM -out "${safe_name}.pem" 2>/dev/null; then
            echo "Successfully extracted CA certificate for: $name (using $successful_hash)"
            echo "$name,$url,$successful_hash" >> successful_servers.log
        else
            echo "$url" >> failed_ca_certs.log
            echo "Failed to extract CA certificate for: $name"
        fi
    else
        echo "$url" >> failed_ca_certs.log
        echo "Failed to get timestamp response from: $name (tried all hash algorithms)"
    fi

    # Cleanup temporary files to prevent disk space issues
    rm -f "$tmp_query" "$tmp_reply" "$tmp_token"
done

This will dump the full certificate chain for all of the CAs. e.g. this is what my folder looks like after running the script:

APED.pem					Entrust.pem					QuoVadis_China.pem
Adacom.pem					FreeTSA.pem					QuoVadis_EU.pem
Aloaha.pem					GlobalSign.pem					SDA_GOV_GE.pem
Apple.pem					IdenTrust.pem					SEP_Bulgaria.pem
Azure.pem					Instituto_dos_Registos_e_do_Notariado_I_P.pem	SSL_com.pem
BalTstamp.pem					Izenpe.pem					Sectigo.pem
Belgium_Federal_Goverment.pem			Lex_Persona.pem					SwissSign.pem
CNBS.pem					Mahidol_University.pem				Swiss_Goverment.pem
CatCert.pem					MeSign.pem					TSA_SINPE.pem
Certum.pem					Netlock.pem					successful_servers.log
Digicert.pem					QuoVadis.pem

@vasekkral
Copy link

@Manouchehri great, thanks a lot, works perfectly. Now we can call our "time stamper" util with your load balancer.

@HeikoSchlittermann
Copy link

I created a simple time stamp query http(s) client and sent a simple query to the servers mentioned in your list. Here are the simplified results:
Probably some of these URLs need a path (e.g. freetsa.org should be http(s)://freetsa.org/tsr).

http://timestamp.globalsign.com/tsa/r6advanced1: OK
http://timestamp.digicert.com: OK
http://timestamp.acs.microsoft.com: OK 
http://time.certum.pl: OK
http://rfc3161timestamp.globalsign.com/advanced: OK

http://zeitstempel.dfn.de: fail
http://tsa.startssl.com/rfc3161: fail
http://tsa.mesign.com: fail
http://timestamp.sectigo.com: fail
http://timestamp.entrust.net/TSS/RFC3161sha2TS: fail
http://timestamp.apple.com/ts01: fail
https://tsp.iaik.tugraz.at/tsp/TspRequest: fail
https://rfc3161.ai.moda/microsoft: fail
https://rfc3161.ai.moda: fail 
https://rfc3161.ai.moda/apple: fail
https://rfc3161.ai.moda/any: fail
https://rfc3161.ai.moda/adobe: fail
https://freetsa.org: fail
http://services.globaltrustfinder.com/adss/tsa: fail
https://ca.signfiles.com/tsa/get.aspx: fail
http://rfc3161.ai.moda: fail
http://dse200.ncipher.com/TSS/HttpTspServer: fail

@Manouchehri
Copy link
Author

@HeikoSchlittermann Could you please explain how your client works? Those results seem very wrong to me.

@JohnPlanetary
Copy link

The following have stopped working for years:
http://tsa.startssl.com/rfc3161
http://services.globaltrustfinder.com/adss/tsa
http://dse200.ncipher.com/TSS/HttpTspServer

The following, as mentioned, had the URL wrong:
https://freetsa.org it should be: https://freetsa.org/tsr

The rest is working properly.
So something is wrong with thou simple time stamp client.

@kashmirix
Copy link

kashmirix commented Mar 12, 2025
edited
Loading

rfc3161 timestamping servers – March 2025 update

[#] = LTV (long-term validity) enabled
[*] = increased sigvalue size; if using Adobe Acrobat on Windows, a registry modification may be required in accordance with these instructions

Working

QUALIFIED (EU Trust List)

http://tss.accv.es:8318/tsa [#]
https://timestamp.aped.gov.gr/qtss [*]
http://tsa.baltstamp.lt [#]
http://tsa.belgium.be/connect [#]
http://ts.cartaodecidadao.pt/tsa/server [LTV]
http://ts.quovadisglobal.com/eu [# *]
http://tsa.izenpe.com [#]
http://timestamp.sectigo.com/qualified

TRUSTED (Adobe Trust List)

http://rfc3161.ai.moda (and other URL variants) [*]
http://timestamp.digicert.com
http://timestamp.comodoca.com (and other URL variants) [*]
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.identrust.com
http://ts.quovadisglobal.com/ch [*]
http://timestamp.sectigo.com
http://ts.ssl.com
http://tsa.swisssign.net [*]
https://tsa.wotrus.com

UNTRUSTED

http://timestamp.apple.com/ts01
http://time.certum.pl [*]
https://tsa.cesnet.cz:3162/tsa
http(s)://zeitstempel.dfn.de [*]
http://tsa.sinpe.fi.cr/tsaHttp/ (trailing slash required)
http://timestamp.globalsign.com/advanced (and other URL variants)
https://freetsa.org/tsr
http://tsa.lex-persona.com/tsa
https://tsa.mahidol.ac.th/tsa/get.aspx
https://time.mconnect.mc
http://timestamp.acs.microsoft.com
http://dss.nowina.lu/pki-factory/tsa/good-tsa
http://timestamp.ssl.trustwave.com

Not working

http://psis.catcert.cat/psis/catcert/tsp (timeout)
http://tsa.mesign.com (timeout/crash, likely moved to https://tsa.wotrus.com)
http://tsa.safecreative.org (timeout/crash)
http://tsa.sep.bg (timeout/gone)
http://sha256timestamp.ws.symantec.com/sha256/timestamp (timeout/error)
https://tsp.iaik.tugraz.at/tsp/TspRequest (error)

@TylerDurden2019
Copy link

As of a few days ago, http://timestamp.digicert.com no longer support SHA-512 or SHA-384 hashing algorithm for timestamping.
I'm using signtool.exe version 10.0.19041.685.

Using /td SHA512 or /td SHA384 now fails with http://timestamp.digicert.com but works with http://timestamp.sectigo.com:
Fails:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"

Works:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"

Using /td SHA256 works with http://timestamp.digicert.com:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA256 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"

@littleyoda
Copy link

littleyoda commented May 15, 2025
edited
Loading

Can someone tell me how I can verify a timestamp from timestamp.acs.microsoft.com .

I have now tried various approaches, but somehow I seem to be missing the right root and intermediate certificates.

openssl ts -query -data "sample" -no_nonce -sha512 -cert -out file.tsq
curl -sH "Content-Type: application/timestamp-query" --data-binary "@file.tsq" http://timestamp.acs.microsoft.com  > ms.tsr
echo
echo "Verify (Not Certs)"
openssl ts -verify -in ms.tsr -queryfile file.tsq

echo
echo "Verify2 (MS Root Cert)"
curl -s http://www.microsoft.com/pkiops/certs/microsoft%20identity%20verification%20root%20certificate%20authority%202020.crt > mivra.crt
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile mivra.crt

echo
echo "Verify3 (Extract Cert)"
openssl ts -reply -in "ms.tsr" -token_out -out "ms.token.tk"
openssl pkcs7 -inform DER -in "ms.token.tk" -print_certs -outform PEM -out "ms.cer"
openssl x509 -inform PEM -in "ms.cer" -out "ms.crt"
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile ms.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Verify (Not Certs)
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
4037A577EA7E0000:error:17800064:time stamp routines:ts_verify_cert:
certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get local issuer certificate

Verify2 (MS Root Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Error loading file mivra.crt
Verification: FAILED
40E76D29C1730000:error:05800088:x509 certificate routines:
X509_load_cert_crl_file_ex:no certificate or crl found:../crypto/x509/by_file.c:251:

Verify3 (Extract Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
40170E69E4720000:error:17800064:time stamp routines:
ts_verify_cert:certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get issuer certificate

@Manouchehri
Copy link
Author

@TylerDurden2019 Digicert works fine for me with SHA-512 and SHA-384.

openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl --data-binary @- https://rfc3161.ai.moda/digicert -o - -v | openssl ts -reply -text -in /dev/stdin

openssl rand 512 | openssl ts -query -data - -cert -sha384 | curl --data-binary @- https://rfc3161.ai.moda/digicert -o - -v | openssl ts -reply -text -in /dev/stdin
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.114412.7.1
Hash Algorithm: sha512
Message data:
    0000 - 4a bd d6 6e cf bb fc 97-95 f4 fe 25 07 6a d9 27   J..n.......%.j.'
    0010 - d7 e6 b3 e1 3e ed d4 2b-44 a1 2f f0 44 91 c1 49   ....>..+D./.D..I
    0020 - 22 84 50 f3 98 ba fc 4c-d6 ab df 48 2f 97 f5 36   ".P....L...H/..6
    0030 - 34 5f 18 df 83 f6 6b 6d-fe be 61 c3 b3 3c de 2d   4_....km..a..<.-
Serial number: 0x9CEFF4C18E28407E21D72B318DDEDD66
Time stamp: May 26 14:31:04 2025 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0x775FF9F2CBADC6AC
TSA: unspecified
Extensions:

Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.114412.7.1
Hash Algorithm: sha384
Message data:
    0000 - 9e 2e af 17 b7 c9 3d c7-51 6e 18 4a 5f 1f 0d e0   ......=.Qn.J_...
    0010 - e8 eb b4 bc 4d 28 ac 90-9b bb d8 b0 7c 7b b2 48   ....M(......|{.H
    0020 - 02 fe a0 12 f0 2c b6 39-5f 69 a5 49 97 37 dd ad   .....,.9_i.I.7..
Serial number: 0xFC802032394A2B116538CBAA20EECCB5
Time stamp: May 26 14:32:19 2025 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0xECD603090AAC72F5
TSA: unspecified
Extensions:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment