Skip to content

Instantly share code, notes, and snippets.

@Manouchehri

Manouchehri/rfc3161.txt

Last active December 27, 2025 05:41
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
Download ZIP
List of free rfc3161 servers.
Raw
rfc3161.txt
https://rfc3161.ai.moda
https://rfc3161.ai.moda/adobe
https://rfc3161.ai.moda/microsoft
https://rfc3161.ai.moda/apple
https://rfc3161.ai.moda/any
http://rfc3161.ai.moda
http://timestamp.digicert.com
http://timestamp.globalsign.com/tsa/r6advanced1
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.sectigo.com
http://timestamp.apple.com/ts01
http://tsa.mesign.com
http://time.certum.pl
https://freetsa.org
http://tsa.startssl.com/rfc3161
http://dse200.ncipher.com/TSS/HttpTspServer
http://zeitstempel.dfn.de
https://ca.signfiles.com/tsa/get.aspx
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.acs.microsoft.com
@Manouchehri
Copy link
Author

Manouchehri commented Dec 11, 2025

But as it is not exactly listed in https://rfc3161.ai.moda/servers.json the tool for downloading CA root certificates does not download the one for http://timestamp.acs.microsoft.com

@vasekkral Can you share how you're checking that? On my end, I can definitely see that https://rfc3161.ai.moda/azure is proxied to http://timestamp.acs.microsoft.com. You can always verify this by looking at the via header. (e.g. via: HTTP/1.0 timestamp.acs.microsoft.com, via: HTTP/1.0 timestamp.digicert.com, via: HTTP/1.0 timestamp.sectigo.com, etc.)

openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl --data-binary @- https://rfc3161.ai.moda/azure -o rand_response.tsr -v
# ^ you can see `< via: HTTP/1.0 timestamp.acs.microsoft.com` in the response headers

openssl ts -reply -in rand_response.tsr -token_out -out rand_response.tsr.pkcs7
openssl pkcs7 -inform DER -in rand_response.tsr.pkcs7 -print_certs -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=Microsoft Corporation, CN=Microsoft Identity Verification Root Certificate Authority 2020
        Validity
            Not Before: Nov 19 20:32:31 2020 GMT
            Not After : Nov 19 20:42:31 2035 GMT
        Subject: C=US, O=Microsoft Corporation, CN=Microsoft Public RSA Timestamping CA 2020
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:9e:7c:e7:52:63:fd:e0:c5:9f:05:7d:63:b5:06:
                    22:a3:1c:1e:d7:e7:97:33:d1:13:05:bd:65:46:47:
                    77:91:c1:5d:70:6f:7f:b2:ab:43:97:0c:4a:a1:52:
                    1c:6a:a0:db:fa:89:85:8a:8e:43:1c:2e:11:05:c6:
                    f2:40:78:d7:0b:03:24:fe:5d:d3:39:8b:60:a0:18:
                    f1:9c:6f:de:56:24:b8:b0:ec:7c:cb:88:12:ab:c6:
                    60:e3:d4:44:01:fe:61:b9:78:48:91:04:4a:7b:74:
                    31:b3:c4:a0:a7:4d:8a:1c:0c:e7:11:af:d2:b1:a8:
                    7c:9d:6a:39:84:93:35:c7:39:e4:46:c1:4f:bb:aa:
                    df:0c:77:99:78:6d:56:6b:5c:08:4a:f9:64:a4:e4:
                    28:a1:35:0b:16:6f:34:f5:9d:19:62:54:3c:2e:9e:
                    e2:e4:5f:58:72:21:65:c8:02:b0:9f:ac:a3:37:f9:
                    11:e1:f9:2a:b9:45:9f:1a:63:28:a4:da:bf:07:c5:
                    3f:a5:da:19:91:96:50:6f:13:65:a8:93:a2:04:68:
                    02:5a:9c:7a:f6:e2:aa:2a:14:cf:56:2d:e0:54:4a:
                    e7:73:fa:a2:f9:d4:7c:03:63:22:03:3d:24:37:49:
                    e1:ed:2a:88:34:66:e6:c3:93:88:44:2d:04:b1:9d:
                    f5:58:5d:d4:c6:9d:c6:81:9c:1e:b4:42:b1:2e:6b:
                    3b:dc:a1:bf:67:e3:24:7a:e6:95:0d:04:21:79:a9:
                    e0:38:43:06:27:8a:50:64:7e:79:9e:02:34:4d:dc:
                    b5:6e:2e:bd:20:d0:55:e4:a9:f6:1d:52:68:f5:7c:
                    51:61:1f:c9:3c:60:1a:33:ac:46:97:9e:c4:8b:de:
                    47:53:0f:4d:57:fb:82:df:21:63:ae:17:34:f3:ba:
                    8b:25:06:b0:48:2d:f1:cd:8f:c4:5f:3b:13:e0:8e:
                    ec:0d:bc:4e:98:cd:ab:97:8b:8a:2b:a7:84:a6:ea:
                    d1:76:e3:90:da:14:e4:98:6d:61:4a:e5:98:06:e9:
                    c5:18:db:f6:d4:ab:78:37:6d:00:2a:66:de:b9:29:
                    c6:9e:c0:42:77:67:23:44:a1:bb:f7:e4:d7:fa:c4:
                    de:85:ac:0e:a3:17:de:38:ef:e3:47:bc:28:de:58:
                    b0:90:67:73:3c:96:07:82:72:79:e1:4c:5b:72:41:
                    7d:d7:80:2a:1c:e8:84:57:bc:53:9c:3d:5a:eb:dc:
                    3f:51:3c:70:8c:4b:a0:a4:83:cc:20:81:3a:ed:21:
                    59:d8:f3:28:db:bc:63:94:b0:07:59:6d:e5:d4:21:
                    00:16:32:cd:1d:dd:c4:43:bf:4f:52:bf:05:51:77:
                    ad:5e:bd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            1.3.6.1.4.1.311.21.1:
                ...
            X509v3 Subject Key Identifier:
                6B:69:28:3A:35:2F:48:63:40:CF:7B:D8:AF:49:E9:3E:D9:3D:DB:21
            X509v3 Certificate Policies:
                Policy: X509v3 Any Policy
                  CPS: http://www.microsoft.com/pkiops/Docs/Repository.htm
            X509v3 Extended Key Usage:
                Time Stamping
            1.3.6.1.4.1.311.20.2:
                .
.S.u.b.C.A
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                C8:7E:D2:6A:85:2A:1B:CA:19:98:04:07:27:CF:50:10:4F:68:A8:A2
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://www.microsoft.com/pkiops/crl/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crl

            Authority Information Access:
                CA Issuers - URI:http://www.microsoft.com/pkiops/certs/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crt
    Signature Algorithm: sha384WithRSAEncryption
    Signature Value:
        5f:88:76:c7:7e:6d:b5:5a:15:75:e7:4c:78:68:fa:4e:e1:d8:
        44:99:25:15:a5:b8:b1:34:39:af:e9:3b:ee:20:7b:f5:c4:8b:
        35:ef:86:cd:18:ef:e2:95:63:26:f8:9c:79:6e:80:17:ac:9c:
        5a:81:18:47:42:d8:85:a6:b4:a3:32:4b:53:96:22:f8:b0:a6:
        72:b7:68:be:49:79:dc:33:6d:e0:45:ec:f3:b2:83:a2:06:1b:
        f5:e1:84:9d:d4:a9:67:96:4c:ef:82:cd:bd:5c:d8:d3:f9:cf:
        21:21:f3:d1:7b:da:ef:54:23:0f:88:7e:f3:3d:97:30:e6:73:
        63:b6:10:d0:fb:30:f9:eb:72:35:9d:42:7a:cb:9f:53:6d:75:
        ac:bb:25:2c:ab:0e:f0:5d:9a:06:cd:9c:22:8d:64:f9:a1:ce:
        86:bc:3d:c7:0e:89:09:63:8d:35:ba:19:e3:de:e6:c1:85:b9:
        11:f3:74:5b:7c:cb:e6:cd:da:77:85:ed:9b:bc:85:33:b5:23:
        ae:17:34:6a:ac:b7:c4:be:c3:e4:54:76:27:bc:7d:70:b5:8c:
        ab:b7:9b:d2:86:22:a1:78:6a:57:6b:60:16:a6:ca:1d:e0:e2:
        72:4f:8f:f2:d1:d8:20:5a:2f:20:fe:d8:1b:86:64:25:66:a0:
        d4:7f:75:2a:51:0b:19:68:b7:48:bb:f5:d2:8e:0a:19:a8:38:
        da:9b:30:8f:26:d3:8b:8b:68:41:c0:bf:8a:b0:28:74:35:bc:
        1c:db:57:f9:c6:f3:d2:c3:29:b4:52:4a:f8:a3:9b:02:70:c5:
        1c:4b:2e:93:10:fe:ee:31:5f:11:5f:47:87:ff:82:4b:12:91:
        b2:69:ee:8a:8b:c2:58:83:9b:f8:7e:c3:46:89:fd:4e:5c:72:
        76:21:61:be:ef:3c:a3:4c:37:e4:99:0d:6c:9c:53:93:83:21:
        17:f2:a0:69:79:f4:1b:17:47:f1:e9:44:6b:62:26:ab:8e:60:
        69:af:03:fa:64:e6:f0:b5:95:c9:db:78:ca:dc:58:3f:f6:ea:
        8c:de:3d:0f:d3:59:f3:57:28:13:a6:90:5a:6f:3c:4f:02:1f:
        e1:1e:18:65:b3:a9:30:a3:74:0b:27:a3:68:f3:4d:e3:52:c6:
        5c:77:82:50:c6:26:07:1d:cf:90:ff:00:0c:70:f5:27:60:ab:
        ff:ab:63:b8:e3:82:ce:d7:e9:fa:8f:4d:73:e6:68:20:09:29:
        51:c0:3f:5f:68:12:32:48:07:00:f5:2f:21:db:68:48:01:c4:
        50:a8:81:84:8e:89:42:2b:d1:7a:9c:af:59:c9:7e:25:86:d8:
        6c:18:7b:a6:68:00:5d:5b
-----BEGIN CERTIFICATE-----
MIIHgjCCBWqgAwIBAgITMwAAAAXlzw//Zi7JhwAAAAAABTANBgkqhkiG9w0BAQwF
ADB3MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
MUgwRgYDVQQDEz9NaWNyb3NvZnQgSWRlbnRpdHkgVmVyaWZpY2F0aW9uIFJvb3Qg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMjAwHhcNMjAxMTE5MjAzMjMxWhcNMzUx
MTE5MjA0MjMxWjBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENv
cnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3Rh
bXBpbmcgQ0EgMjAyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ58
51Jj/eDFnwV9Y7UGIqMcHtfnlzPREwW9ZUZHd5HBXXBvf7KrQ5cMSqFSHGqg2/qJ
hYqOQxwuEQXG8kB41wsDJP5d0zmLYKAY8Zxv3lYkuLDsfMuIEqvGYOPURAH+Ybl4
SJEESnt0MbPEoKdNihwM5xGv0rGofJ1qOYSTNcc55EbBT7uq3wx3mXhtVmtcCEr5
ZKTkKKE1CxZvNPWdGWJUPC6e4uRfWHIhZcgCsJ+sozf5EeH5KrlFnxpjKKTavwfF
P6XaGZGWUG8TZaiTogRoAlqcevbiqioUz1Yt4FRK53P6ovnUfANjIgM9JDdJ4e0q
iDRm5sOTiEQtBLGd9Vhd1MadxoGcHrRCsS5rO9yhv2fjJHrmlQ0EIXmp4DhDBieK
UGR+eZ4CNE3ctW4uvSDQVeSp9h1SaPV8UWEfyTxgGjOsRpeexIveR1MPTVf7gt8h
Y64XNPO6iyUGsEgt8c2PxF87E+CO7A28TpjNq5eLiiunhKbq0XbjkNoU5JhtYUrl
mAbpxRjb9tSreDdtACpm3rkpxp7AQndnI0Shu/fk1/rE3oWsDqMX3jjv40e8KN5Y
sJBnczyWB4JyeeFMW3JBfdeAKhzohFe8U5w9WuvcP1E8cIxLoKSDzCCBOu0hWdjz
KNu8Y5SwB1lt5dQhABYyzR3dxEO/T1K/BVF3rV69AgMBAAGjggIbMIICFzAOBgNV
HQ8BAf8EBAMCAYYwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFGtpKDo1L0hj
QM972K9J6T7ZPdshMFQGA1UdIARNMEswSQYEVR0gADBBMD8GCCsGAQUFBwIBFjNo
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5o
dG0wEwYDVR0lBAwwCgYIKwYBBQUHAwgwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBD
AEEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTIftJqhSobyhmYBAcnz1AQ
T2ioojCBhAYDVR0fBH0wezB5oHegdYZzaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
L3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwSWRlbnRpdHklMjBWZXJpZmljYXRpb24l
MjBSb290JTIwQ2VydGlmaWNhdGUlMjBBdXRob3JpdHklMjAyMDIwLmNybDCBlAYI
KwYBBQUHAQEEgYcwgYQwgYEGCCsGAQUFBzAChnVodHRwOi8vd3d3Lm1pY3Jvc29m
dC5jb20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMElkZW50aXR5JTIwVmVyaWZp
Y2F0aW9uJTIwUm9vdCUyMENlcnRpZmljYXRlJTIwQXV0aG9yaXR5JTIwMjAyMC5j
cnQwDQYJKoZIhvcNAQEMBQADggIBAF+Idsd+bbVaFXXnTHho+k7h2ESZJRWluLE0
Oa/pO+4ge/XEizXvhs0Y7+KVYyb4nHlugBesnFqBGEdC2IWmtKMyS1OWIviwpnK3
aL5JedwzbeBF7POyg6IGG/XhhJ3UqWeWTO+Czb1c2NP5zyEh89F72u9UIw+IfvM9
lzDmc2O2END7MPnrcjWdQnrLn1Ntday7JSyrDvBdmgbNnCKNZPmhzoa8PccOiQlj
jTW6GePe5sGFuRHzdFt8y+bN2neF7Zu8hTO1I64XNGqst8S+w+RUdie8fXC1jKu3
m9KGIqF4aldrYBamyh3g4nJPj/LR2CBaLyD+2BuGZCVmoNR/dSpRCxlot0i79dKO
ChmoONqbMI8m04uLaEHAv4qwKHQ1vBzbV/nG89LDKbRSSvijmwJwxRxLLpMQ/u4x
XxFfR4f/gksSkbJp7oqLwliDm/h+w0aJ/U5ccnYhYb7vPKNMN+SZDWycU5ODIRfy
oGl59BsXR/HpRGtiJquOYGmvA/pk5vC1lcnbeMrcWD/26ozePQ/TWfNXKBOmkFpv
PE8CH+EeGGWzqTCjdAsno2jzTeNSxlx3glDGJgcdz5D/AAxw9Sdgq/+rY7jjgs7X
6fqPTXPmaCAJKVHAP19oEjJIBwD1LyHbaEgBxFCogYSOiUIr0Xqcr1nJfiWG2GwY
e6ZoAF1b
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            33:00:00:00:55:d9:dd:69:26:28:f9:f8:e2:00:00:00:00:00:55
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, O=Microsoft Corporation, CN=Microsoft Public RSA Timestamping CA 2020
        Validity
            Not Before: Oct 23 20:46:49 2025 GMT
            Not After : Oct 22 20:46:49 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft America Operations, OU=nShield TSS ESN:7D00-05E0-D947, CN=Microsoft Public RSA Time Stamping Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:bd:b9:1f:92:1e:59:48:b3:f4:30:25:16:69:f6:
                    b0:fc:a6:68:55:9b:bd:89:0c:7c:af:92:70:85:9b:
                    dd:ad:48:bc:e9:48:c2:08:54:0e:36:34:1a:9e:b2:
                    31:18:5f:61:44:62:19:2d:06:79:d2:01:eb:2c:2f:
                    b8:7e:95:04:25:f7:f9:b7:4e:15:c0:1c:96:0b:6f:
                    db:58:eb:a4:e8:d9:9a:4e:1f:49:a4:f6:43:70:6c:
                    cd:47:de:50:96:bc:a3:7c:48:ed:97:e8:31:8f:5d:
                    b3:34:f1:1d:00:33:e9:95:57:f3:b7:c7:18:45:61:
                    41:c7:f1:5b:7d:c8:74:f2:4e:8f:f6:9e:e3:5f:6a:
                    b5:8c:53:db:53:15:98:27:ec:4e:c8:60:b5:68:a8:
                    43:19:8e:5b:fb:cc:0b:df:db:fa:a8:2d:07:14:8c:
                    7f:bf:7c:be:6d:ea:7e:68:45:e8:a0:af:15:a1:e5:
                    8a:fa:cc:df:68:58:d7:a3:c6:13:72:f4:3c:50:be:
                    2c:ce:ef:47:15:3b:99:36:fe:af:be:82:7b:26:ef:
                    a8:e5:a4:e3:e7:5b:29:87:ed:3e:15:75:b7:f1:39:
                    4b:fe:b0:c1:77:98:9a:ef:d8:ec:90:bb:4e:78:76:
                    c3:8e:46:e5:8e:29:70:cd:e8:1c:c6:ff:62:e3:d1:
                    74:e5:9a:d2:ff:91:0b:64:20:98:d5:56:aa:3b:b1:
                    0e:2c:a5:5a:c7:17:40:3b:9a:32:d6:f6:f4:07:1d:
                    19:45:55:f5:9b:11:63:63:36:b2:d8:40:b4:e7:59:
                    3a:c8:62:47:9b:9f:32:d6:87:b6:20:a4:5a:fd:23:
                    35:f8:14:c6:b1:ee:af:1c:d8:b9:43:67:79:66:7a:
                    11:f4:03:80:50:30:f0:24:82:2a:44:8e:2b:67:3d:
                    8c:4a:29:e1:d7:55:ab:5d:31:bd:ba:b1:76:ba:8c:
                    9d:e5:57:be:f2:1c:5e:b3:d0:01:78:fd:8f:61:02:
                    a5:5d:84:c0:c6:f7:5a:79:a9:c3:4d:0f:ef:c2:69:
                    cc:fb:24:dc:5b:3a:d5:9b:ce:19:df:c5:d5:17:0e:
                    06:ee:9f:d9:35:9d:a7:b1:cb:ef:ea:ea:ee:d8:07:
                    af:5d:cc:95:d6:df:21:6b:b8:96:9a:18:60:4d:60:
                    4d:06:b5:62:b8:39:5c:de:23:ef:3b:3d:92:54:f6:
                    cf:7a:a8:72:63:f3:57:c0:d6:42:02:07:36:1f:9a:
                    4e:ce:db:ba:33:04:31:0c:88:ed:7b:75:cc:fc:59:
                    0a:07:11:e8:7d:2d:9a:6c:d4:ff:d0:71:be:c5:9b:
                    45:a9:42:43:6b:18:1b:25:ae:a5:37:5c:e1:ee:ca:
                    63:b9:0f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                56:04:5F:10:6D:DC:08:03:F0:C8:BF:A9:C9:16:CA:C1:D7:AC:65:B6
            X509v3 Authority Key Identifier:
                6B:69:28:3A:35:2F:48:63:40:CF:7B:D8:AF:49:E9:3E:D9:3D:DB:21
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://www.microsoft.com/pkiops/crl/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crl

            Authority Information Access:
                CA Issuers - URI:http://www.microsoft.com/pkiops/certs/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crt
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: critical
                Time Stamping
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.311.76.509.1.1
                  CPS: http://www.microsoft.com/pkiops/Docs/Repository.htm
                Policy: 2.23.140.1.4.2
    Signature Algorithm: sha384WithRSAEncryption
    Signature Value:
        52:1e:e1:92:54:7b:da:94:29:c5:9e:5b:2a:5c:84:1e:7c:7d:
        71:3f:64:85:af:d8:3e:57:3f:9f:e4:fe:d0:7b:2c:23:7d:06:
        f9:8d:49:52:99:dd:57:9c:95:03:3d:ef:cc:1f:12:fb:af:74:
        c4:12:52:fe:98:db:46:e8:20:cf:03:2b:52:b5:21:4f:5c:3f:
        6d:4c:1b:41:31:88:7c:5a:aa:3a:e2:91:fd:aa:6d:fa:d7:22:
        2a:78:11:fd:ef:d9:b3:58:29:0c:42:c4:dd:d2:73:3a:75:49:
        7d:07:ee:ea:8a:d8:be:4e:85:f0:c4:89:77:f5:e6:2a:2e:e6:
        18:7e:10:f6:9a:aa:9e:3d:73:33:50:a4:90:ce:47:fb:df:26:
        08:54:73:fa:9c:b2:50:cf:86:80:99:a5:9c:7c:6f:63:83:bf:
        2c:06:40:d5:f0:aa:56:ec:98:24:b6:e2:e1:a6:12:44:37:50:
        7e:49:51:e3:7a:73:dd:72:6a:c5:5c:85:2e:fc:ae:23:2b:9b:
        a4:7d:66:90:22:3b:9a:5f:34:a3:06:53:63:0b:9b:50:37:a6:
        9d:3d:f0:37:1b:15:30:1c:f7:91:e1:e9:0b:e4:87:ff:f6:f0:
        5f:d7:7b:66:cc:15:be:83:2f:b4:b0:d1:93:bd:e6:fd:20:bf:
        46:53:c8:97:f1:4b:f2:c2:c5:fa:da:78:42:08:f4:54:85:38:
        a0:0c:12:9d:73:34:54:ac:da:e7:b4:18:68:c1:b7:dc:84:10:
        c5:30:bf:1a:bd:13:11:73:d1:a6:73:62:6f:22:bc:97:df:7e:
        92:15:0e:75:ff:fa:b5:51:4d:87:31:22:44:32:15:8b:25:22:
        16:25:58:5f:52:8c:2c:39:af:8f:6a:6a:48:cc:44:d8:7c:5b:
        d3:bb:69:aa:28:95:25:59:95:e4:19:8c:6b:74:2b:c2:73:32:
        5c:a9:ea:1a:76:95:b5:ba:5e:a4:71:d9:c3:87:6d:bc:49:0f:
        19:84:37:3a:21:19:4c:e2:23:5d:e5:23:68:36:05:fe:6a:89:
        b7:c2:e1:b2:8d:46:92:68:f6:56:c4:f0:75:1b:63:4a:89:88:
        4f:2e:dd:25:3c:78:34:1a:c9:23:d7:38:48:49:8f:14:42:43:
        0c:0e:bd:e8:d8:98:11:b9:3f:b0:9c:91:03:41:4a:79:e5:d7:
        6f:85:29:12:a0:3e:88:f4:32:ff:b3:e4:e3:21:8f:dc:f6:32:
        da:5b:9c:72:c0:91:ea:74:a1:d4:02:94:4c:b2:08:6f:ee:47:
        9b:4a:e6:b5:ba:99:91:f9:3a:ae:7a:51:64:b4:34:8e:8d:57:
        52:46:4b:b2:6b:8b:a8:c5
-----BEGIN CERTIFICATE-----
MIIHlzCCBX+gAwIBAgITMwAAAFXZ3WkmKPn44gAAAAAAVTANBgkqhkiG9w0BAQwF
ADBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
MTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3RhbXBpbmcgQ0Eg
MjAyMDAeFw0yNTEwMjMyMDQ2NDlaFw0yNjEwMjIyMDQ2NDlaMIHbMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQg
QW1lcmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046N0Qw
MC0wNUUwLUQ5NDcxNTAzBgNVBAMTLE1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWUg
U3RhbXBpbmcgQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAvbkfkh5ZSLP0MCUWafaw/KZoVZu9iQx8r5JwhZvdrUi86UjCCFQONjQanrIx
GF9hRGIZLQZ50gHrLC+4fpUEJff5t04VwByWC2/bWOuk6NmaTh9JpPZDcGzNR95Q
lryjfEjtl+gxj12zNPEdADPplVfzt8cYRWFBx/Fbfch08k6P9p7jX2q1jFPbUxWY
J+xOyGC1aKhDGY5b+8wL39v6qC0HFIx/v3y+bep+aEXooK8VoeWK+szfaFjXo8YT
cvQ8UL4szu9HFTuZNv6vvoJ7Ju+o5aTj51sph+0+FXW38TlL/rDBd5ia79jskLtO
eHbDjkbljilwzegcxv9i49F05ZrS/5ELZCCY1VaqO7EOLKVaxxdAO5oy1vb0Bx0Z
RVX1mxFjYzay2EC051k6yGJHm58y1oe2IKRa/SM1+BTGse6vHNi5Q2d5ZnoR9AOA
UDDwJIIqRI4rZz2MSinh11WrXTG9urF2uoyd5Ve+8hxes9ABeP2PYQKlXYTAxvda
eanDTQ/vwmnM+yTcWzrVm84Z38XVFw4G7p/ZNZ2nscvv6uru2AevXcyV1t8ha7iW
mhhgTWBNBrViuDlc3iPvOz2SVPbPeqhyY/NXwNZCAgc2H5pOztu6MwQxDIjte3XM
/FkKBxHofS2abNT/0HG+xZtFqUJDaxgbJa6lN1zh7spjuQ8CAwEAAaOCAcswggHH
MB0GA1UdDgQWBBRWBF8QbdwIA/DIv6nJFsrB16xltjAfBgNVHSMEGDAWgBRraSg6
NS9IY0DPe9ivSek+2T3bITBsBgNVHR8EZTBjMGGgX6BdhltodHRwOi8vd3d3Lm1p
Y3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBQdWJsaWMlMjBSU0El
MjBUaW1lc3RhbXBpbmclMjBDQSUyMDIwMjAuY3JsMHkGCCsGAQUFBwEBBG0wazBp
BggrBgEFBQcwAoZdaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0
cy9NaWNyb3NvZnQlMjBQdWJsaWMlMjBSU0ElMjBUaW1lc3RhbXBpbmclMjBDQSUy
MDIwMjAuY3J0MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgw
DgYDVR0PAQH/BAQDAgeAMGYGA1UdIARfMF0wUQYMKwYBBAGCN0yDfQEBMEEwPwYI
KwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9S
ZXBvc2l0b3J5Lmh0bTAIBgZngQwBBAIwDQYJKoZIhvcNAQEMBQADggIBAFIe4ZJU
e9qUKcWeWypchB58fXE/ZIWv2D5XP5/k/tB7LCN9BvmNSVKZ3VeclQM978wfEvuv
dMQSUv6Y20boIM8DK1K1IU9cP21MG0ExiHxaqjrikf2qbfrXIip4Ef3v2bNYKQxC
xN3Sczp1SX0H7uqK2L5OhfDEiXf15iou5hh+EPaaqp49czNQpJDOR/vfJghUc/qc
slDPhoCZpZx8b2ODvywGQNXwqlbsmCS24uGmEkQ3UH5JUeN6c91yasVchS78riMr
m6R9ZpAiO5pfNKMGU2MLm1A3pp098DcbFTAc95Hh6Qvkh//28F/Xe2bMFb6DL7Sw
0ZO95v0gv0ZTyJfxS/LCxfraeEII9FSFOKAMEp1zNFSs2ue0GGjBt9yEEMUwvxq9
ExFz0aZzYm8ivJfffpIVDnX/+rVRTYcxIkQyFYslIhYlWF9SjCw5r49qakjMRNh8
W9O7aaoolSVZleQZjGt0K8JzMlyp6hp2lbW6XqRx2cOHbbxJDxmENzohGUziI13l
I2g2Bf5qibfC4bKNRpJo9lbE8HUbY0qJiE8u3SU8eDQaySPXOEhJjxRCQwwOvejY
mBG5P7CckQNBSnnl12+FKRKgPoj0Mv+z5OMhj9z2MtpbnHLAkep0odQClEyyCG/u
R5tK5rW6mZH5Oq56UWS0NI6NV1JGS7Jri6jF
-----END CERTIFICATE-----

@vasekkral
Copy link

vasekkral commented Dec 11, 2025

@Manouchehri I am afraid there is a confusion.
The "proxy" https://rfc3161.ai.moda/azure -> http://timestamp.acs.microsoft.com/ works fine.

The thing is that we need to regularly download CA root certificates for our timestamping service to work.
As http://timestamp.acs.microsoft.com/ is not listed in https://rfc3161.ai.moda/servers.json the script you provided for CA root certificate download does not get the certificate for http://timestamp.acs.microsoft.com/

@Manouchehri
Copy link
Author

Manouchehri commented Dec 11, 2025

@vasekkral Can you please provide any code to show that the certificate on https://rfc3161.ai.moda/azure vs. http://timestamp.acs.microsoft.com is different? (Spoiler hint: it's not different.)

Microsoft Azure's timestamping server itself doesn't use the exact same full certificate chain on each result. You can check this yourself.

openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl -s --data-binary @- http://timestamp.acs.microsoft.com | openssl ts -reply -in /dev/stdin -token_out -out /dev/stdout | openssl pkcs7 -inform DER -in /dev/stdin -print_certs -text | grep "nShield TSS

Outputs from multiple runs:

        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft America Operations, OU=nShield TSS ESN:7A00-05E0-D947, CN=Microsoft Public RSA Time Stamping Authority
...
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft America Operations, OU=nShield TSS ESN:7D00-05E0-D947, CN=Microsoft Public RSA Time Stamping Authority

See how the OU field changes? Microsoft's servers have more than one Thales nShield HSMs. So your idea would never have worked, except sometimes at random by pure chance.

The thing is that we need to regularly download CA root certificates for our timestamping service to work.

You are making fundamentally error(s) in your approach. If you request the certificate to be included in the TSR, there is no need to download any CA root certificates on a regular basis. You only should be downloading and trusting ONE root CA from Microsoft.

https://www.microsoft.com/pkiops/certs/microsoft%20identity%20verification%20root%20certificate%20authority%202020.crt

If you do this, you should not need download a new CA cert from Microsoft until 2045.

The only regular downloads you should do, are checking to make sure the certificate hasn't been revoked.

@vasekkral
Copy link

vasekkral commented Dec 12, 2025

@Manouchehri thanks for comprehensive explanation. I get it now and everything works just fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment