A service for issuing RFC 3161 timestamps.
Timestamps conform to the RFC 3628 policy.
On MacOS, we currently require the installation of openssl.
brew install opensslTo launch the server, run either:
docker-compose upmake timestamp-server && ./bin/timestamp-server serve --port 3000
Both of these commands launch a server with an in-memory signing key and certificate chain. This should not be used for production.
To fetch a timestamp with the provided timestamp-cli:
- Retrieve the verification chain:
curl http://localhost:3000/api/v1/timestamp/certchain > ts_chain.pem - Create test blob to sign:
echo "myblob" > myblob - Build client:
make timestamp-cli - Fetch timestamp:
./bin/timestamp-cli --timestamp_server http://localhost:3000 timestamp --hash sha256 --artifact myblob --out response.tsr - Verify timestamp:
./bin/timestamp-cli verify --timestamp response.tsr --artifact "myblob" --cert-chain ts_chain.pem - Inspect timestamp:
./bin/timestamp-cli inspect --timestamp response.tsr --format json
To fetch a timestamp with openssl and curl:
- Retrieve the verification chain:
curl http://localhost:3000/api/v1/timestamp/certchain > ts_chain.pem - Split chain into root CA certificate and "untrusted" intermediate and leaf certificates:
- Split:
csplit -s -f tmpcert- ts_chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}'- Note, on macOS, you will need to install GNU utilities with
brew install coreutils, and usegcsplit
- Note, on macOS, you will need to install GNU utilities with
- Remove empty file:
rm tmpcert-00 - Get root:
mv $(ls tmpcert-* | tail -1) root.crt.pem - Merge remaining certificates:
cat tmpcert-* > chain.crts.pem - Remove temp files:
rm tmpcert-*
- Split:
- Create test blob to sign:
echo "myblob" > myblob - Create timestamp request:
openssl ts -query -data myblob -cert -sha256 -out request.tsq - Fetch timestamp:
curl -sSH "Content-Type: application/timestamp-query" --data-binary @request.tsq http://localhost:3000/api/v1/timestamp -o response.tsr - Verify timestamp:
openssl ts -verify -in response.tsr -data "myblob" -CAfile root.crt.pem -untrusted chain.crts.pem- Note that you will see a warning that one certificate is "not a CA cert", but this is expected, as you need to provide the TSA signing certificate
in case the certificate is not included in the response. When generating the timestamp query, setting
-certwill mandate the signing certificate is included.
- Note that you will see a warning that one certificate is "not a CA cert", but this is expected, as you need to provide the TSA signing certificate
in case the certificate is not included in the response. When generating the timestamp query, setting
- Inspect timestamp:
openssl ts -reply -in response.tsr -text
To deploy to production, the timestamp authority currently supports signing with Cloud KMS. You will need to provide a certificate chain (leaf, any intermediates, and root), where the certificate chain's purpose (extended key usage) is for timestamping.
Provide the path to the chain with certificate-chain-path, and the KMS key with timestamp-signer. The key should be prefixed
with either gcpkms://, azurekms://, awskms://, or hashivault://.
Should you discover any security issues, please refer to Sigstore's security process.