The purpose is to associate unquestionable time information with a particular object. This usually serves as proof that the document existed at that time in the past. The user can request a timestamp for the file (it is possible to generate timestamps for PDF documents in Adobe Acrobat Reader after it has been configured) or a server (for logging).
Timestamps are issued by the time stamp authority. CESNET operates two servers (primary and secondary) with a time stamp service. They are managed by CESNET PKI.
The service can be used for timestamps with the new attribute format (ESSCertIDv2, see rfc5816). The new format is supported in OpenSSL up to version 1.1.1. Timestamp servers is available at:
The following procedure is for UNIX-type OS only. In this process, we prepare a data file, generate a timestamp for it, and verify that the tag is valid.
First prepare the data file:
echo 'sator arepo tenet opera rotas'> data.txt
We have a file named data.txt for which we want to get a timestamp. First we need to generate a TSA request using OpenSSL:
openssl-ts -query -data data.txt -no_nonce -cert -out data.tsq
The request is stored in the data.tsq file. All you have to do is send the request to the timestamp server:
cat data.tsq | curl -s -S 'Content-Type: application/timestamp-query' --data-binary @- https://tsa.cesnet.cz:5817/tsa/ -o data.tsr
The stamp is now stored in the data.tsr file. Use the command to get the content of the stamp in human readable form
openssl ts -reply -in data.tsr -text
You can now verify that no one has tampered with the file. To verify the signature, you must first download all CA certificates to the root and place them in one file:
curl -s https://crt.cesnet-ca.cz/CESNET_CA_Root.pem -o CESNET_CA_Root.pem curl -s https://crt.cesnet-ca.cz/PersonalSigning2.pem -o PersonalSigning2.pem cat CESNET_CA_Root.pem PersonalSigning2.pem> TrustedCertificates.pem
The TrustedCertificates.pem file lists CA certificates after this step. You can now verify your signature:
openssl ts -verify -data ./data.txt -in ./data.tsr -CAfile ./TrustedCertificates.pem
If everything went right, you should see something like
Verification: OK
You can now try what happens if you modify the data.txt data file. Change the contents of this file:
echo 'Roma tibi subito motibus ibit amor'> data.txt
and run the command again
openssl ts -verify -data ./data.txt -in ./data.tsr -CAfile ./TrustedCertificates.pem
Verification should fail with an error message similar to the following:
Verification: FAILED 140345687674584: 2F064067: time stamp routines: TS_CHECK_IMPRINTS: message imprint mismatch: ts_rsp_verify.c: 672:
Currently the service is intended for research and educational institutions and other registered users.
The service is provided free of charge by CESNET.
All suggestions and comments should be sent to support@cesnet.cz.