Timestamps - Information for users

What timestamps are for

The purpose is to associate unquestionable time information with a particular object. This usually serves as proof that the document existed at that time in the past. The user can request a timestamp for the file (it is possible to generate timestamps for PDF documents in Adobe Acrobat Reader after it has been configured) or a server (for logging).

Technical parameters of the service

Timestamps are issued by the time stamp authority. CESNET operates two servers (primary and secondary) with a time stamp service. They are managed by CESNET PKI.

The service can be used for timestamps with both the old attribute format (ESSCertID, see rfc3161) and the new attribute format (ESSCertIDv2, see rfc5816). The old format only supports SHA1 hash, but is the most widespread yet. The new format is supported in OpenSSL up to version 1.1.1. If possible, we recommend using the new ESSCertIDv2 format.

Timestamp servers are available at:

How to obtain and verify a timestamp

The following procedure is for UNIX-type OS only. In this process, we prepare a data file, generate a timestamp for it, and verify that the tag is valid.

First prepare the data file:

echo 'sator arepo tenet opera rotas'> data.txt

We have a file named data.txt for which we want to get a timestamp. First we need to generate a TSA request using OpenSSL:

openssl-ts -query -data data.txt -no_nonce -cert -out data.tsq

The request is stored in the data.tsq file. All you have to do is send the request to the timestamp server:

cat data.tsq | curl -s -S 'Content-Type: application / timestamp-query' --data-binary @ - http: // tsa1.cesnet.com: 3161 / tsa -o data.tsr

The stamp is now stored in the data.tsr file. Use the command to get the content of the stamp in human readable form

openssl ts -reply -in data.tsr -text

You can now verify that no one has tampered with the file. To verify the signature, you must first download all CA certificates to the root and place them in one file:

curl -s https://crt.cesnet-ca.cz/CESNET_CA_Root.pem -o CESNET_CA_Root.pem
curl -s https://crt.cesnet-ca.cz/PersonalSigning2.pem -o PersonalSigning2.pem
cat CESNET_CA_Root.pem PersonalSigning2.pem> TrustedCertificates.pem

The TrustedCertificates.pem file lists CA certificates after this step. You can now verify your signature:

openssl ts -verify -data ./data.txt -in ./data.tsr -CAfile ./TrustedCertificates.pem

If everything went right, you should see something like

Verification: OK

You can now try what happens if you modify the data.txt data file. Change the contents of this file:

echo 'Roma tibi subito motibus ibit amor'> data.txt

and run the command again

openssl ts -verify -data ./data.txt -in ./data.tsr -CAfile ./TrustedCertificates.pem

Verification should fail with an error message similar to the following:

Verification: FAILED
140345687674584: 2F064067: time stamp routines: TS_CHECK_IMPRINTS: message imprint mismatch: ts_rsp_verify.c: 672:

Terms of Service

Currently the service is intended for research and educational institutions and other registered users.


The service is provided free of charge by CESNET.


All suggestions and comments should be sent to support@cesnet.cz.

Last modified:: 2020/01/06 13:50