now we have PKI server could generate and sign a new cert with key usage "timestamping", then how about writing a custom HTTP Timestamp server. It should follow RFC 3161 Time-Stamp Protocol (TSP) rules.