Last active
December 27, 2025 05:41
-
Star
(398)
You must be signed in to star a gist -
Fork
(71)
You must be signed in to fork a gist
-
-
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
List of free rfc3161 servers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://rfc3161.ai.moda | |
| https://rfc3161.ai.moda/adobe | |
| https://rfc3161.ai.moda/microsoft | |
| https://rfc3161.ai.moda/apple | |
| https://rfc3161.ai.moda/any | |
| http://rfc3161.ai.moda | |
| http://timestamp.digicert.com | |
| http://timestamp.globalsign.com/tsa/r6advanced1 | |
| http://rfc3161timestamp.globalsign.com/advanced | |
| http://timestamp.sectigo.com | |
| http://timestamp.apple.com/ts01 | |
| http://tsa.mesign.com | |
| http://time.certum.pl | |
| https://freetsa.org | |
| http://tsa.startssl.com/rfc3161 | |
| http://dse200.ncipher.com/TSS/HttpTspServer | |
| http://zeitstempel.dfn.de | |
| https://ca.signfiles.com/tsa/get.aspx | |
| http://services.globaltrustfinder.com/adss/tsa | |
| https://tsp.iaik.tugraz.at/tsp/TspRequest | |
| http://timestamp.entrust.net/TSS/RFC3161sha2TS | |
| http://timestamp.acs.microsoft.com |
Can someone tell me how I can verify a timestamp from timestamp.acs.microsoft.com .
I have now tried various approaches, but somehow I seem to be missing the right root and intermediate certificates.
openssl ts -query -data "sample" -no_nonce -sha512 -cert -out file.tsq
curl -sH "Content-Type: application/timestamp-query" --data-binary "@file.tsq" http://timestamp.acs.microsoft.com > ms.tsr
echo
echo "Verify (Not Certs)"
openssl ts -verify -in ms.tsr -queryfile file.tsq
echo
echo "Verify2 (MS Root Cert)"
curl -s http://www.microsoft.com/pkiops/certs/microsoft%20identity%20verification%20root%20certificate%20authority%202020.crt > mivra.crt
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile mivra.crt
echo
echo "Verify3 (Extract Cert)"
openssl ts -reply -in "ms.tsr" -token_out -out "ms.token.tk"
openssl pkcs7 -inform DER -in "ms.token.tk" -print_certs -outform PEM -out "ms.cer"
openssl x509 -inform PEM -in "ms.cer" -out "ms.crt"
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile ms.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Verify (Not Certs)
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
4037A577EA7E0000:error:17800064:time stamp routines:ts_verify_cert:
certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get local issuer certificate
Verify2 (MS Root Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Error loading file mivra.crt
Verification: FAILED
40E76D29C1730000:error:05800088:x509 certificate routines:
X509_load_cert_crl_file_ex:no certificate or crl found:../crypto/x509/by_file.c:251:
Verify3 (Extract Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
40170E69E4720000:error:17800064:time stamp routines:
ts_verify_cert:certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get issuer certificate
Author
@TylerDurden2019 Digicert works fine for me with SHA-512 and SHA-384.
openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl --data-binary @- https://rfc3161.ai.moda/digicert -o - -v | openssl ts -reply -text -in /dev/stdin
openssl rand 512 | openssl ts -query -data - -cert -sha384 | curl --data-binary @- https://rfc3161.ai.moda/digicert -o - -v | openssl ts -reply -text -in /dev/stdinStatus info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 2.16.840.1.114412.7.1
Hash Algorithm: sha512
Message data:
0000 - 4a bd d6 6e cf bb fc 97-95 f4 fe 25 07 6a d9 27 J..n.......%.j.'
0010 - d7 e6 b3 e1 3e ed d4 2b-44 a1 2f f0 44 91 c1 49 ....>..+D./.D..I
0020 - 22 84 50 f3 98 ba fc 4c-d6 ab df 48 2f 97 f5 36 ".P....L...H/..6
0030 - 34 5f 18 df 83 f6 6b 6d-fe be 61 c3 b3 3c de 2d 4_....km..a..<.-
Serial number: 0x9CEFF4C18E28407E21D72B318DDEDD66
Time stamp: May 26 14:31:04 2025 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0x775FF9F2CBADC6AC
TSA: unspecified
Extensions:
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 2.16.840.1.114412.7.1
Hash Algorithm: sha384
Message data:
0000 - 9e 2e af 17 b7 c9 3d c7-51 6e 18 4a 5f 1f 0d e0 ......=.Qn.J_...
0010 - e8 eb b4 bc 4d 28 ac 90-9b bb d8 b0 7c 7b b2 48 ....M(......|{.H
0020 - 02 fe a0 12 f0 2c b6 39-5f 69 a5 49 97 37 dd ad .....,.9_i.I.7..
Serial number: 0xFC802032394A2B116538CBAA20EECCB5
Time stamp: May 26 14:32:19 2025 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0xECD603090AAC72F5
TSA: unspecified
Extensions:
We switched to the Azure Code Signing timestamp server: http://timestamp.acs.microsoft.com
Thanks, I've added that one for Windows signing on https://rfc3161.ai.moda!
Could you please add http://timestamp.acs.microsoft.com into https://rfc3161.ai.moda/servers.json too?
Author
Could you please add http://timestamp.acs.microsoft.com into https://rfc3161.ai.moda/servers.json too?
@vasekkral It already is, it's listed as https://rfc3161.ai.moda/azure :)
Could you please add http://timestamp.acs.microsoft.com into https://rfc3161.ai.moda/servers.json too?
@vasekkral It already is, it's listed as https://rfc3161.ai.moda/azure :)
Thanks for info.
But as it is not exactly listed in https://rfc3161.ai.moda/servers.json the tool for downloading CA root certificates does not download the one for http://timestamp.acs.microsoft.com
Author
But as it is not exactly listed in https://rfc3161.ai.moda/servers.json the tool for downloading CA root certificates does not download the one for http://timestamp.acs.microsoft.com
@vasekkral Can you share how you're checking that? On my end, I can definitely see that https://rfc3161.ai.moda/azure is proxied to http://timestamp.acs.microsoft.com. You can always verify this by looking at the via header. (e.g. via: HTTP/1.0 timestamp.acs.microsoft.com, via: HTTP/1.0 timestamp.digicert.com, via: HTTP/1.0 timestamp.sectigo.com, etc.)
openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl --data-binary @- https://rfc3161.ai.moda/azure -o rand_response.tsr -v
# ^ you can see `< via: HTTP/1.0 timestamp.acs.microsoft.com` in the response headers
openssl ts -reply -in rand_response.tsr -token_out -out rand_response.tsr.pkcs7
openssl pkcs7 -inform DER -in rand_response.tsr.pkcs7 -print_certs -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, O=Microsoft Corporation, CN=Microsoft Identity Verification Root Certificate Authority 2020
Validity
Not Before: Nov 19 20:32:31 2020 GMT
Not After : Nov 19 20:42:31 2035 GMT
Subject: C=US, O=Microsoft Corporation, CN=Microsoft Public RSA Timestamping CA 2020
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:9e:7c:e7:52:63:fd:e0:c5:9f:05:7d:63:b5:06:
22:a3:1c:1e:d7:e7:97:33:d1:13:05:bd:65:46:47:
77:91:c1:5d:70:6f:7f:b2:ab:43:97:0c:4a:a1:52:
1c:6a:a0:db:fa:89:85:8a:8e:43:1c:2e:11:05:c6:
f2:40:78:d7:0b:03:24:fe:5d:d3:39:8b:60:a0:18:
f1:9c:6f:de:56:24:b8:b0:ec:7c:cb:88:12:ab:c6:
60:e3:d4:44:01:fe:61:b9:78:48:91:04:4a:7b:74:
31:b3:c4:a0:a7:4d:8a:1c:0c:e7:11:af:d2:b1:a8:
7c:9d:6a:39:84:93:35:c7:39:e4:46:c1:4f:bb:aa:
df:0c:77:99:78:6d:56:6b:5c:08:4a:f9:64:a4:e4:
28:a1:35:0b:16:6f:34:f5:9d:19:62:54:3c:2e:9e:
e2:e4:5f:58:72:21:65:c8:02:b0:9f:ac:a3:37:f9:
11:e1:f9:2a:b9:45:9f:1a:63:28:a4:da:bf:07:c5:
3f:a5:da:19:91:96:50:6f:13:65:a8:93:a2:04:68:
02:5a:9c:7a:f6:e2:aa:2a:14:cf:56:2d:e0:54:4a:
e7:73:fa:a2:f9:d4:7c:03:63:22:03:3d:24:37:49:
e1:ed:2a:88:34:66:e6:c3:93:88:44:2d:04:b1:9d:
f5:58:5d:d4:c6:9d:c6:81:9c:1e:b4:42:b1:2e:6b:
3b:dc:a1:bf:67:e3:24:7a:e6:95:0d:04:21:79:a9:
e0:38:43:06:27:8a:50:64:7e:79:9e:02:34:4d:dc:
b5:6e:2e:bd:20:d0:55:e4:a9:f6:1d:52:68:f5:7c:
51:61:1f:c9:3c:60:1a:33:ac:46:97:9e:c4:8b:de:
47:53:0f:4d:57:fb:82:df:21:63:ae:17:34:f3:ba:
8b:25:06:b0:48:2d:f1:cd:8f:c4:5f:3b:13:e0:8e:
ec:0d:bc:4e:98:cd:ab:97:8b:8a:2b:a7:84:a6:ea:
d1:76:e3:90:da:14:e4:98:6d:61:4a:e5:98:06:e9:
c5:18:db:f6:d4:ab:78:37:6d:00:2a:66:de:b9:29:
c6:9e:c0:42:77:67:23:44:a1:bb:f7:e4:d7:fa:c4:
de:85:ac:0e:a3:17:de:38:ef:e3:47:bc:28:de:58:
b0:90:67:73:3c:96:07:82:72:79:e1:4c:5b:72:41:
7d:d7:80:2a:1c:e8:84:57:bc:53:9c:3d:5a:eb:dc:
3f:51:3c:70:8c:4b:a0:a4:83:cc:20:81:3a:ed:21:
59:d8:f3:28:db:bc:63:94:b0:07:59:6d:e5:d4:21:
00:16:32:cd:1d:dd:c4:43:bf:4f:52:bf:05:51:77:
ad:5e:bd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
6B:69:28:3A:35:2F:48:63:40:CF:7B:D8:AF:49:E9:3E:D9:3D:DB:21
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: http://www.microsoft.com/pkiops/Docs/Repository.htm
X509v3 Extended Key Usage:
Time Stamping
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
C8:7E:D2:6A:85:2A:1B:CA:19:98:04:07:27:CF:50:10:4F:68:A8:A2
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.microsoft.com/pkiops/crl/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pkiops/certs/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crt
Signature Algorithm: sha384WithRSAEncryption
Signature Value:
5f:88:76:c7:7e:6d:b5:5a:15:75:e7:4c:78:68:fa:4e:e1:d8:
44:99:25:15:a5:b8:b1:34:39:af:e9:3b:ee:20:7b:f5:c4:8b:
35:ef:86:cd:18:ef:e2:95:63:26:f8:9c:79:6e:80:17:ac:9c:
5a:81:18:47:42:d8:85:a6:b4:a3:32:4b:53:96:22:f8:b0:a6:
72:b7:68:be:49:79:dc:33:6d:e0:45:ec:f3:b2:83:a2:06:1b:
f5:e1:84:9d:d4:a9:67:96:4c:ef:82:cd:bd:5c:d8:d3:f9:cf:
21:21:f3:d1:7b:da:ef:54:23:0f:88:7e:f3:3d:97:30:e6:73:
63:b6:10:d0:fb:30:f9:eb:72:35:9d:42:7a:cb:9f:53:6d:75:
ac:bb:25:2c:ab:0e:f0:5d:9a:06:cd:9c:22:8d:64:f9:a1:ce:
86:bc:3d:c7:0e:89:09:63:8d:35:ba:19:e3:de:e6:c1:85:b9:
11:f3:74:5b:7c:cb:e6:cd:da:77:85:ed:9b:bc:85:33:b5:23:
ae:17:34:6a:ac:b7:c4:be:c3:e4:54:76:27:bc:7d:70:b5:8c:
ab:b7:9b:d2:86:22:a1:78:6a:57:6b:60:16:a6:ca:1d:e0:e2:
72:4f:8f:f2:d1:d8:20:5a:2f:20:fe:d8:1b:86:64:25:66:a0:
d4:7f:75:2a:51:0b:19:68:b7:48:bb:f5:d2:8e:0a:19:a8:38:
da:9b:30:8f:26:d3:8b:8b:68:41:c0:bf:8a:b0:28:74:35:bc:
1c:db:57:f9:c6:f3:d2:c3:29:b4:52:4a:f8:a3:9b:02:70:c5:
1c:4b:2e:93:10:fe:ee:31:5f:11:5f:47:87:ff:82:4b:12:91:
b2:69:ee:8a:8b:c2:58:83:9b:f8:7e:c3:46:89:fd:4e:5c:72:
76:21:61:be:ef:3c:a3:4c:37:e4:99:0d:6c:9c:53:93:83:21:
17:f2:a0:69:79:f4:1b:17:47:f1:e9:44:6b:62:26:ab:8e:60:
69:af:03:fa:64:e6:f0:b5:95:c9:db:78:ca:dc:58:3f:f6:ea:
8c:de:3d:0f:d3:59:f3:57:28:13:a6:90:5a:6f:3c:4f:02:1f:
e1:1e:18:65:b3:a9:30:a3:74:0b:27:a3:68:f3:4d:e3:52:c6:
5c:77:82:50:c6:26:07:1d:cf:90:ff:00:0c:70:f5:27:60:ab:
ff:ab:63:b8:e3:82:ce:d7:e9:fa:8f:4d:73:e6:68:20:09:29:
51:c0:3f:5f:68:12:32:48:07:00:f5:2f:21:db:68:48:01:c4:
50:a8:81:84:8e:89:42:2b:d1:7a:9c:af:59:c9:7e:25:86:d8:
6c:18:7b:a6:68:00:5d:5b
-----BEGIN CERTIFICATE-----
MIIHgjCCBWqgAwIBAgITMwAAAAXlzw//Zi7JhwAAAAAABTANBgkqhkiG9w0BAQwF
ADB3MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
MUgwRgYDVQQDEz9NaWNyb3NvZnQgSWRlbnRpdHkgVmVyaWZpY2F0aW9uIFJvb3Qg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMjAwHhcNMjAxMTE5MjAzMjMxWhcNMzUx
MTE5MjA0MjMxWjBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENv
cnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3Rh
bXBpbmcgQ0EgMjAyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ58
51Jj/eDFnwV9Y7UGIqMcHtfnlzPREwW9ZUZHd5HBXXBvf7KrQ5cMSqFSHGqg2/qJ
hYqOQxwuEQXG8kB41wsDJP5d0zmLYKAY8Zxv3lYkuLDsfMuIEqvGYOPURAH+Ybl4
SJEESnt0MbPEoKdNihwM5xGv0rGofJ1qOYSTNcc55EbBT7uq3wx3mXhtVmtcCEr5
ZKTkKKE1CxZvNPWdGWJUPC6e4uRfWHIhZcgCsJ+sozf5EeH5KrlFnxpjKKTavwfF
P6XaGZGWUG8TZaiTogRoAlqcevbiqioUz1Yt4FRK53P6ovnUfANjIgM9JDdJ4e0q
iDRm5sOTiEQtBLGd9Vhd1MadxoGcHrRCsS5rO9yhv2fjJHrmlQ0EIXmp4DhDBieK
UGR+eZ4CNE3ctW4uvSDQVeSp9h1SaPV8UWEfyTxgGjOsRpeexIveR1MPTVf7gt8h
Y64XNPO6iyUGsEgt8c2PxF87E+CO7A28TpjNq5eLiiunhKbq0XbjkNoU5JhtYUrl
mAbpxRjb9tSreDdtACpm3rkpxp7AQndnI0Shu/fk1/rE3oWsDqMX3jjv40e8KN5Y
sJBnczyWB4JyeeFMW3JBfdeAKhzohFe8U5w9WuvcP1E8cIxLoKSDzCCBOu0hWdjz
KNu8Y5SwB1lt5dQhABYyzR3dxEO/T1K/BVF3rV69AgMBAAGjggIbMIICFzAOBgNV
HQ8BAf8EBAMCAYYwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFGtpKDo1L0hj
QM972K9J6T7ZPdshMFQGA1UdIARNMEswSQYEVR0gADBBMD8GCCsGAQUFBwIBFjNo
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5o
dG0wEwYDVR0lBAwwCgYIKwYBBQUHAwgwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBD
AEEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTIftJqhSobyhmYBAcnz1AQ
T2ioojCBhAYDVR0fBH0wezB5oHegdYZzaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
L3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwSWRlbnRpdHklMjBWZXJpZmljYXRpb24l
MjBSb290JTIwQ2VydGlmaWNhdGUlMjBBdXRob3JpdHklMjAyMDIwLmNybDCBlAYI
KwYBBQUHAQEEgYcwgYQwgYEGCCsGAQUFBzAChnVodHRwOi8vd3d3Lm1pY3Jvc29m
dC5jb20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMElkZW50aXR5JTIwVmVyaWZp
Y2F0aW9uJTIwUm9vdCUyMENlcnRpZmljYXRlJTIwQXV0aG9yaXR5JTIwMjAyMC5j
cnQwDQYJKoZIhvcNAQEMBQADggIBAF+Idsd+bbVaFXXnTHho+k7h2ESZJRWluLE0
Oa/pO+4ge/XEizXvhs0Y7+KVYyb4nHlugBesnFqBGEdC2IWmtKMyS1OWIviwpnK3
aL5JedwzbeBF7POyg6IGG/XhhJ3UqWeWTO+Czb1c2NP5zyEh89F72u9UIw+IfvM9
lzDmc2O2END7MPnrcjWdQnrLn1Ntday7JSyrDvBdmgbNnCKNZPmhzoa8PccOiQlj
jTW6GePe5sGFuRHzdFt8y+bN2neF7Zu8hTO1I64XNGqst8S+w+RUdie8fXC1jKu3
m9KGIqF4aldrYBamyh3g4nJPj/LR2CBaLyD+2BuGZCVmoNR/dSpRCxlot0i79dKO
ChmoONqbMI8m04uLaEHAv4qwKHQ1vBzbV/nG89LDKbRSSvijmwJwxRxLLpMQ/u4x
XxFfR4f/gksSkbJp7oqLwliDm/h+w0aJ/U5ccnYhYb7vPKNMN+SZDWycU5ODIRfy
oGl59BsXR/HpRGtiJquOYGmvA/pk5vC1lcnbeMrcWD/26ozePQ/TWfNXKBOmkFpv
PE8CH+EeGGWzqTCjdAsno2jzTeNSxlx3glDGJgcdz5D/AAxw9Sdgq/+rY7jjgs7X
6fqPTXPmaCAJKVHAP19oEjJIBwD1LyHbaEgBxFCogYSOiUIr0Xqcr1nJfiWG2GwY
e6ZoAF1b
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:00:00:00:55:d9:dd:69:26:28:f9:f8:e2:00:00:00:00:00:55
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, O=Microsoft Corporation, CN=Microsoft Public RSA Timestamping CA 2020
Validity
Not Before: Oct 23 20:46:49 2025 GMT
Not After : Oct 22 20:46:49 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft America Operations, OU=nShield TSS ESN:7D00-05E0-D947, CN=Microsoft Public RSA Time Stamping Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bd:b9:1f:92:1e:59:48:b3:f4:30:25:16:69:f6:
b0:fc:a6:68:55:9b:bd:89:0c:7c:af:92:70:85:9b:
dd:ad:48:bc:e9:48:c2:08:54:0e:36:34:1a:9e:b2:
31:18:5f:61:44:62:19:2d:06:79:d2:01:eb:2c:2f:
b8:7e:95:04:25:f7:f9:b7:4e:15:c0:1c:96:0b:6f:
db:58:eb:a4:e8:d9:9a:4e:1f:49:a4:f6:43:70:6c:
cd:47:de:50:96:bc:a3:7c:48:ed:97:e8:31:8f:5d:
b3:34:f1:1d:00:33:e9:95:57:f3:b7:c7:18:45:61:
41:c7:f1:5b:7d:c8:74:f2:4e:8f:f6:9e:e3:5f:6a:
b5:8c:53:db:53:15:98:27:ec:4e:c8:60:b5:68:a8:
43:19:8e:5b:fb:cc:0b:df:db:fa:a8:2d:07:14:8c:
7f:bf:7c:be:6d:ea:7e:68:45:e8:a0:af:15:a1:e5:
8a:fa:cc:df:68:58:d7:a3:c6:13:72:f4:3c:50:be:
2c:ce:ef:47:15:3b:99:36:fe:af:be:82:7b:26:ef:
a8:e5:a4:e3:e7:5b:29:87:ed:3e:15:75:b7:f1:39:
4b:fe:b0:c1:77:98:9a:ef:d8:ec:90:bb:4e:78:76:
c3:8e:46:e5:8e:29:70:cd:e8:1c:c6:ff:62:e3:d1:
74:e5:9a:d2:ff:91:0b:64:20:98:d5:56:aa:3b:b1:
0e:2c:a5:5a:c7:17:40:3b:9a:32:d6:f6:f4:07:1d:
19:45:55:f5:9b:11:63:63:36:b2:d8:40:b4:e7:59:
3a:c8:62:47:9b:9f:32:d6:87:b6:20:a4:5a:fd:23:
35:f8:14:c6:b1:ee:af:1c:d8:b9:43:67:79:66:7a:
11:f4:03:80:50:30:f0:24:82:2a:44:8e:2b:67:3d:
8c:4a:29:e1:d7:55:ab:5d:31:bd:ba:b1:76:ba:8c:
9d:e5:57:be:f2:1c:5e:b3:d0:01:78:fd:8f:61:02:
a5:5d:84:c0:c6:f7:5a:79:a9:c3:4d:0f:ef:c2:69:
cc:fb:24:dc:5b:3a:d5:9b:ce:19:df:c5:d5:17:0e:
06:ee:9f:d9:35:9d:a7:b1:cb:ef:ea:ea:ee:d8:07:
af:5d:cc:95:d6:df:21:6b:b8:96:9a:18:60:4d:60:
4d:06:b5:62:b8:39:5c:de:23:ef:3b:3d:92:54:f6:
cf:7a:a8:72:63:f3:57:c0:d6:42:02:07:36:1f:9a:
4e:ce:db:ba:33:04:31:0c:88:ed:7b:75:cc:fc:59:
0a:07:11:e8:7d:2d:9a:6c:d4:ff:d0:71:be:c5:9b:
45:a9:42:43:6b:18:1b:25:ae:a5:37:5c:e1:ee:ca:
63:b9:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
56:04:5F:10:6D:DC:08:03:F0:C8:BF:A9:C9:16:CA:C1:D7:AC:65:B6
X509v3 Authority Key Identifier:
6B:69:28:3A:35:2F:48:63:40:CF:7B:D8:AF:49:E9:3E:D9:3D:DB:21
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.microsoft.com/pkiops/crl/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pkiops/certs/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crt
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage: critical
Time Stamping
X509v3 Key Usage: critical
Digital Signature
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.311.76.509.1.1
CPS: http://www.microsoft.com/pkiops/Docs/Repository.htm
Policy: 2.23.140.1.4.2
Signature Algorithm: sha384WithRSAEncryption
Signature Value:
52:1e:e1:92:54:7b:da:94:29:c5:9e:5b:2a:5c:84:1e:7c:7d:
71:3f:64:85:af:d8:3e:57:3f:9f:e4:fe:d0:7b:2c:23:7d:06:
f9:8d:49:52:99:dd:57:9c:95:03:3d:ef:cc:1f:12:fb:af:74:
c4:12:52:fe:98:db:46:e8:20:cf:03:2b:52:b5:21:4f:5c:3f:
6d:4c:1b:41:31:88:7c:5a:aa:3a:e2:91:fd:aa:6d:fa:d7:22:
2a:78:11:fd:ef:d9:b3:58:29:0c:42:c4:dd:d2:73:3a:75:49:
7d:07:ee:ea:8a:d8:be:4e:85:f0:c4:89:77:f5:e6:2a:2e:e6:
18:7e:10:f6:9a:aa:9e:3d:73:33:50:a4:90:ce:47:fb:df:26:
08:54:73:fa:9c:b2:50:cf:86:80:99:a5:9c:7c:6f:63:83:bf:
2c:06:40:d5:f0:aa:56:ec:98:24:b6:e2:e1:a6:12:44:37:50:
7e:49:51:e3:7a:73:dd:72:6a:c5:5c:85:2e:fc:ae:23:2b:9b:
a4:7d:66:90:22:3b:9a:5f:34:a3:06:53:63:0b:9b:50:37:a6:
9d:3d:f0:37:1b:15:30:1c:f7:91:e1:e9:0b:e4:87:ff:f6:f0:
5f:d7:7b:66:cc:15:be:83:2f:b4:b0:d1:93:bd:e6:fd:20:bf:
46:53:c8:97:f1:4b:f2:c2:c5:fa:da:78:42:08:f4:54:85:38:
a0:0c:12:9d:73:34:54:ac:da:e7:b4:18:68:c1:b7:dc:84:10:
c5:30:bf:1a:bd:13:11:73:d1:a6:73:62:6f:22:bc:97:df:7e:
92:15:0e:75:ff:fa:b5:51:4d:87:31:22:44:32:15:8b:25:22:
16:25:58:5f:52:8c:2c:39:af:8f:6a:6a:48:cc:44:d8:7c:5b:
d3:bb:69:aa:28:95:25:59:95:e4:19:8c:6b:74:2b:c2:73:32:
5c:a9:ea:1a:76:95:b5:ba:5e:a4:71:d9:c3:87:6d:bc:49:0f:
19:84:37:3a:21:19:4c:e2:23:5d:e5:23:68:36:05:fe:6a:89:
b7:c2:e1:b2:8d:46:92:68:f6:56:c4:f0:75:1b:63:4a:89:88:
4f:2e:dd:25:3c:78:34:1a:c9:23:d7:38:48:49:8f:14:42:43:
0c:0e:bd:e8:d8:98:11:b9:3f:b0:9c:91:03:41:4a:79:e5:d7:
6f:85:29:12:a0:3e:88:f4:32:ff:b3:e4:e3:21:8f:dc:f6:32:
da:5b:9c:72:c0:91:ea:74:a1:d4:02:94:4c:b2:08:6f:ee:47:
9b:4a:e6:b5:ba:99:91:f9:3a:ae:7a:51:64:b4:34:8e:8d:57:
52:46:4b:b2:6b:8b:a8:c5
-----BEGIN CERTIFICATE-----
MIIHlzCCBX+gAwIBAgITMwAAAFXZ3WkmKPn44gAAAAAAVTANBgkqhkiG9w0BAQwF
ADBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
MTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3RhbXBpbmcgQ0Eg
MjAyMDAeFw0yNTEwMjMyMDQ2NDlaFw0yNjEwMjIyMDQ2NDlaMIHbMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQg
QW1lcmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046N0Qw
MC0wNUUwLUQ5NDcxNTAzBgNVBAMTLE1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWUg
U3RhbXBpbmcgQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAvbkfkh5ZSLP0MCUWafaw/KZoVZu9iQx8r5JwhZvdrUi86UjCCFQONjQanrIx
GF9hRGIZLQZ50gHrLC+4fpUEJff5t04VwByWC2/bWOuk6NmaTh9JpPZDcGzNR95Q
lryjfEjtl+gxj12zNPEdADPplVfzt8cYRWFBx/Fbfch08k6P9p7jX2q1jFPbUxWY
J+xOyGC1aKhDGY5b+8wL39v6qC0HFIx/v3y+bep+aEXooK8VoeWK+szfaFjXo8YT
cvQ8UL4szu9HFTuZNv6vvoJ7Ju+o5aTj51sph+0+FXW38TlL/rDBd5ia79jskLtO
eHbDjkbljilwzegcxv9i49F05ZrS/5ELZCCY1VaqO7EOLKVaxxdAO5oy1vb0Bx0Z
RVX1mxFjYzay2EC051k6yGJHm58y1oe2IKRa/SM1+BTGse6vHNi5Q2d5ZnoR9AOA
UDDwJIIqRI4rZz2MSinh11WrXTG9urF2uoyd5Ve+8hxes9ABeP2PYQKlXYTAxvda
eanDTQ/vwmnM+yTcWzrVm84Z38XVFw4G7p/ZNZ2nscvv6uru2AevXcyV1t8ha7iW
mhhgTWBNBrViuDlc3iPvOz2SVPbPeqhyY/NXwNZCAgc2H5pOztu6MwQxDIjte3XM
/FkKBxHofS2abNT/0HG+xZtFqUJDaxgbJa6lN1zh7spjuQ8CAwEAAaOCAcswggHH
MB0GA1UdDgQWBBRWBF8QbdwIA/DIv6nJFsrB16xltjAfBgNVHSMEGDAWgBRraSg6
NS9IY0DPe9ivSek+2T3bITBsBgNVHR8EZTBjMGGgX6BdhltodHRwOi8vd3d3Lm1p
Y3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBQdWJsaWMlMjBSU0El
MjBUaW1lc3RhbXBpbmclMjBDQSUyMDIwMjAuY3JsMHkGCCsGAQUFBwEBBG0wazBp
BggrBgEFBQcwAoZdaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0
cy9NaWNyb3NvZnQlMjBQdWJsaWMlMjBSU0ElMjBUaW1lc3RhbXBpbmclMjBDQSUy
MDIwMjAuY3J0MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgw
DgYDVR0PAQH/BAQDAgeAMGYGA1UdIARfMF0wUQYMKwYBBAGCN0yDfQEBMEEwPwYI
KwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9S
ZXBvc2l0b3J5Lmh0bTAIBgZngQwBBAIwDQYJKoZIhvcNAQEMBQADggIBAFIe4ZJU
e9qUKcWeWypchB58fXE/ZIWv2D5XP5/k/tB7LCN9BvmNSVKZ3VeclQM978wfEvuv
dMQSUv6Y20boIM8DK1K1IU9cP21MG0ExiHxaqjrikf2qbfrXIip4Ef3v2bNYKQxC
xN3Sczp1SX0H7uqK2L5OhfDEiXf15iou5hh+EPaaqp49czNQpJDOR/vfJghUc/qc
slDPhoCZpZx8b2ODvywGQNXwqlbsmCS24uGmEkQ3UH5JUeN6c91yasVchS78riMr
m6R9ZpAiO5pfNKMGU2MLm1A3pp098DcbFTAc95Hh6Qvkh//28F/Xe2bMFb6DL7Sw
0ZO95v0gv0ZTyJfxS/LCxfraeEII9FSFOKAMEp1zNFSs2ue0GGjBt9yEEMUwvxq9
ExFz0aZzYm8ivJfffpIVDnX/+rVRTYcxIkQyFYslIhYlWF9SjCw5r49qakjMRNh8
W9O7aaoolSVZleQZjGt0K8JzMlyp6hp2lbW6XqRx2cOHbbxJDxmENzohGUziI13l
I2g2Bf5qibfC4bKNRpJo9lbE8HUbY0qJiE8u3SU8eDQaySPXOEhJjxRCQwwOvejY
mBG5P7CckQNBSnnl12+FKRKgPoj0Mv+z5OMhj9z2MtpbnHLAkep0odQClEyyCG/u
R5tK5rW6mZH5Oq56UWS0NI6NV1JGS7Jri6jF
-----END CERTIFICATE-----
@Manouchehri I am afraid there is a confusion.
The "proxy" https://rfc3161.ai.moda/azure -> http://timestamp.acs.microsoft.com/ works fine.
The thing is that we need to regularly download CA root certificates for our timestamping service to work.
As http://timestamp.acs.microsoft.com/ is not listed in https://rfc3161.ai.moda/servers.json the script you provided for CA root certificate download does not get the certificate for http://timestamp.acs.microsoft.com/
Author
@vasekkral Can you please provide any code to show that the certificate on https://rfc3161.ai.moda/azure vs. http://timestamp.acs.microsoft.com is different? (Spoiler hint: it's not different.)
Microsoft Azure's timestamping server itself doesn't use the exact same full certificate chain on each result. You can check this yourself.
openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl -s --data-binary @- http://timestamp.acs.microsoft.com | openssl ts -reply -in /dev/stdin -token_out -out /dev/stdout | openssl pkcs7 -inform DER -in /dev/stdin -print_certs -text | grep "nShield TSS
Outputs from multiple runs:
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft America Operations, OU=nShield TSS ESN:7A00-05E0-D947, CN=Microsoft Public RSA Time Stamping Authority
...
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft America Operations, OU=nShield TSS ESN:7D00-05E0-D947, CN=Microsoft Public RSA Time Stamping Authority
See how the OU field changes? Microsoft's servers have more than one Thales nShield HSMs. So your idea would never have worked, except sometimes at random by pure chance.
The thing is that we need to regularly download CA root certificates for our timestamping service to work.
You are making fundamentally error(s) in your approach. If you request the certificate to be included in the TSR, there is no need to download any CA root certificates on a regular basis. You only should be downloading and trusting ONE root CA from Microsoft.
If you do this, you should not need download a new CA cert from Microsoft until 2045.
The only regular downloads you should do, are checking to make sure the certificate hasn't been revoked.
@Manouchehri thanks for comprehensive explanation. I get it now and everything works just fine.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As of a few days ago, http://timestamp.digicert.com no longer support SHA-512 or SHA-384 hashing algorithm for timestamping.
I'm using signtool.exe version 10.0.19041.685.
Using /td SHA512 or /td SHA384 now fails with http://timestamp.digicert.com but works with http://timestamp.sectigo.com:
Fails:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"
Works:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"
Using /td SHA256 works with http://timestamp.digicert.com:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA256 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"