Skip to content

Instantly share code, notes, and snippets.

@Manouchehri

Manouchehri/rfc3161.txt

Last active June 16, 2025 13:20
Show Gist options
  • Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
Download ZIP
List of free rfc3161 servers.
Raw
rfc3161.txt
https://rfc3161.ai.moda
https://rfc3161.ai.moda/adobe
https://rfc3161.ai.moda/microsoft
https://rfc3161.ai.moda/apple
https://rfc3161.ai.moda/any
http://rfc3161.ai.moda
http://timestamp.digicert.com
http://timestamp.globalsign.com/tsa/r6advanced1
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.sectigo.com
http://timestamp.apple.com/ts01
http://tsa.mesign.com
http://time.certum.pl
https://freetsa.org
http://tsa.startssl.com/rfc3161
http://dse200.ncipher.com/TSS/HttpTspServer
http://zeitstempel.dfn.de
https://ca.signfiles.com/tsa/get.aspx
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.acs.microsoft.com
@vasekkral
Copy link

@Manouchehri great, thanks a lot, works perfectly. Now we can call our "time stamper" util with your load balancer.

@HeikoSchlittermann
Copy link

I created a simple time stamp query http(s) client and sent a simple query to the servers mentioned in your list. Here are the simplified results:
Probably some of these URLs need a path (e.g. freetsa.org should be http(s)://freetsa.org/tsr).

http://timestamp.globalsign.com/tsa/r6advanced1: OK
http://timestamp.digicert.com: OK
http://timestamp.acs.microsoft.com: OK 
http://time.certum.pl: OK
http://rfc3161timestamp.globalsign.com/advanced: OK

http://zeitstempel.dfn.de: fail
http://tsa.startssl.com/rfc3161: fail
http://tsa.mesign.com: fail
http://timestamp.sectigo.com: fail
http://timestamp.entrust.net/TSS/RFC3161sha2TS: fail
http://timestamp.apple.com/ts01: fail
https://tsp.iaik.tugraz.at/tsp/TspRequest: fail
https://rfc3161.ai.moda/microsoft: fail
https://rfc3161.ai.moda: fail 
https://rfc3161.ai.moda/apple: fail
https://rfc3161.ai.moda/any: fail
https://rfc3161.ai.moda/adobe: fail
https://freetsa.org: fail
http://services.globaltrustfinder.com/adss/tsa: fail
https://ca.signfiles.com/tsa/get.aspx: fail
http://rfc3161.ai.moda: fail
http://dse200.ncipher.com/TSS/HttpTspServer: fail

@Manouchehri
Copy link
Author

@HeikoSchlittermann Could you please explain how your client works? Those results seem very wrong to me.

@JohnPlanetary
Copy link

The following have stopped working for years:
http://tsa.startssl.com/rfc3161
http://services.globaltrustfinder.com/adss/tsa
http://dse200.ncipher.com/TSS/HttpTspServer

The following, as mentioned, had the URL wrong:
https://freetsa.org it should be: https://freetsa.org/tsr

The rest is working properly.
So something is wrong with thou simple time stamp client.

@kashmirix
Copy link

kashmirix commented Mar 12, 2025
edited
Loading

rfc3161 timestamping servers – March 2025 update

[#] = LTV (long-term validity) enabled
[*] = increased sigvalue size; if using Adobe Acrobat on Windows, a registry modification may be required in accordance with these instructions

Working

QUALIFIED (EU Trust List)

http://tss.accv.es:8318/tsa [#]
https://timestamp.aped.gov.gr/qtss [*]
http://tsa.baltstamp.lt [#]
http://tsa.belgium.be/connect [#]
http://ts.cartaodecidadao.pt/tsa/server [LTV]
http://ts.quovadisglobal.com/eu [# *]
http://tsa.izenpe.com [#]
http://timestamp.sectigo.com/qualified

TRUSTED (Adobe Trust List)

http://rfc3161.ai.moda (and other URL variants) [*]
http://timestamp.digicert.com
http://timestamp.comodoca.com (and other URL variants) [*]
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.identrust.com
http://ts.quovadisglobal.com/ch [*]
http://timestamp.sectigo.com
http://ts.ssl.com
http://tsa.swisssign.net [*]
https://tsa.wotrus.com

UNTRUSTED

http://timestamp.apple.com/ts01
http://time.certum.pl [*]
https://tsa.cesnet.cz:3162/tsa
http(s)://zeitstempel.dfn.de [*]
http://tsa.sinpe.fi.cr/tsaHttp/ (trailing slash required)
http://timestamp.globalsign.com/advanced (and other URL variants)
https://freetsa.org/tsr
http://tsa.lex-persona.com/tsa
https://tsa.mahidol.ac.th/tsa/get.aspx
https://time.mconnect.mc
http://timestamp.acs.microsoft.com
http://dss.nowina.lu/pki-factory/tsa/good-tsa
http://timestamp.ssl.trustwave.com

Not working

http://psis.catcert.cat/psis/catcert/tsp (timeout)
http://tsa.mesign.com (timeout/crash, likely moved to https://tsa.wotrus.com)
http://tsa.safecreative.org (timeout/crash)
http://tsa.sep.bg (timeout/gone)
http://sha256timestamp.ws.symantec.com/sha256/timestamp (timeout/error)
https://tsp.iaik.tugraz.at/tsp/TspRequest (error)

@TylerDurden2019
Copy link

As of a few days ago, http://timestamp.digicert.com no longer support SHA-512 or SHA-384 hashing algorithm for timestamping.
I'm using signtool.exe version 10.0.19041.685.

Using /td SHA512 or /td SHA384 now fails with http://timestamp.digicert.com but works with http://timestamp.sectigo.com:
Fails:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"

Works:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"

Using /td SHA256 works with http://timestamp.digicert.com:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA256 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"

@littleyoda
Copy link

littleyoda commented May 15, 2025
edited
Loading

Can someone tell me how I can verify a timestamp from timestamp.acs.microsoft.com .

I have now tried various approaches, but somehow I seem to be missing the right root and intermediate certificates.

openssl ts -query -data "sample" -no_nonce -sha512 -cert -out file.tsq
curl -sH "Content-Type: application/timestamp-query" --data-binary "@file.tsq" http://timestamp.acs.microsoft.com  > ms.tsr
echo
echo "Verify (Not Certs)"
openssl ts -verify -in ms.tsr -queryfile file.tsq

echo
echo "Verify2 (MS Root Cert)"
curl -s http://www.microsoft.com/pkiops/certs/microsoft%20identity%20verification%20root%20certificate%20authority%202020.crt > mivra.crt
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile mivra.crt

echo
echo "Verify3 (Extract Cert)"
openssl ts -reply -in "ms.tsr" -token_out -out "ms.token.tk"
openssl pkcs7 -inform DER -in "ms.token.tk" -print_certs -outform PEM -out "ms.cer"
openssl x509 -inform PEM -in "ms.cer" -out "ms.crt"
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile ms.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Verify (Not Certs)
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
4037A577EA7E0000:error:17800064:time stamp routines:ts_verify_cert:
certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get local issuer certificate

Verify2 (MS Root Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Error loading file mivra.crt
Verification: FAILED
40E76D29C1730000:error:05800088:x509 certificate routines:
X509_load_cert_crl_file_ex:no certificate or crl found:../crypto/x509/by_file.c:251:

Verify3 (Extract Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
40170E69E4720000:error:17800064:time stamp routines:
ts_verify_cert:certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get issuer certificate

@Manouchehri
Copy link
Author

@TylerDurden2019 Digicert works fine for me with SHA-512 and SHA-384.

openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl --data-binary @- https://rfc3161.ai.moda/digicert -o - -v | openssl ts -reply -text -in /dev/stdin

openssl rand 512 | openssl ts -query -data - -cert -sha384 | curl --data-binary @- https://rfc3161.ai.moda/digicert -o - -v | openssl ts -reply -text -in /dev/stdin
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.114412.7.1
Hash Algorithm: sha512
Message data:
    0000 - 4a bd d6 6e cf bb fc 97-95 f4 fe 25 07 6a d9 27   J..n.......%.j.'
    0010 - d7 e6 b3 e1 3e ed d4 2b-44 a1 2f f0 44 91 c1 49   ....>..+D./.D..I
    0020 - 22 84 50 f3 98 ba fc 4c-d6 ab df 48 2f 97 f5 36   ".P....L...H/..6
    0030 - 34 5f 18 df 83 f6 6b 6d-fe be 61 c3 b3 3c de 2d   4_....km..a..<.-
Serial number: 0x9CEFF4C18E28407E21D72B318DDEDD66
Time stamp: May 26 14:31:04 2025 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0x775FF9F2CBADC6AC
TSA: unspecified
Extensions:

Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.114412.7.1
Hash Algorithm: sha384
Message data:
    0000 - 9e 2e af 17 b7 c9 3d c7-51 6e 18 4a 5f 1f 0d e0   ......=.Qn.J_...
    0010 - e8 eb b4 bc 4d 28 ac 90-9b bb d8 b0 7c 7b b2 48   ....M(......|{.H
    0020 - 02 fe a0 12 f0 2c b6 39-5f 69 a5 49 97 37 dd ad   .....,.9_i.I.7..
Serial number: 0xFC802032394A2B116538CBAA20EECCB5
Time stamp: May 26 14:32:19 2025 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0xECD603090AAC72F5
TSA: unspecified
Extensions:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment