check_tsa

check_tsa is Nagios/Icinga plugin to check timestamps generated by TSA servers (RFC3161).

Usage

Usage: check_tsa    -H host -p port -P path  [OPTIONS..]
   or               -u TSA_URL               [OPTIONS..]

general options:
  -h                show this help
  -v                increase verbosity
  -V                show version

  -w days           TSA certificate expiration warning (implies -C)
  -c days           TSA certificate expiration critical (implies -C)
                    (if -w/-c options are not provided, upcoming certificate
                     expiration is not checked)

TSA query Options:
  -p port           port number (default: default service protocol port)
  -P path           HTTP request path (default: /)
  -s protocol       protocol (scheme) (default: http)
  -t seconds        timeout (default: 3)
                    if not provided, DEFAULT_SOCKET_TIMEOUT applies, if available

  -a sha1|sha256|.. message digest (hash) algorithm (default: sha256)
  -i filename       use file as input document (if not provided, empty file is used)
  -C                include certificate request in the query
  -O OID            request policy

  -4                resolve hostname to IPv4 address
  -6                resolve hostname to IPv6 address

verification options:
  -b filename       CA certificate file/bundle (openssl CAfile)
  -d dirname        CA certificate directory (openssl CApath)
  -x filename       TSA certificate

other options:
  -Q filename       save TSA query
  -R filename       save TSA response

Verifying timestamps generated at hypothetical TSA server URL http://tsa.example.org/tsa can be carried out by any of the following illustrative example commands:

check_tsa -H tsa.example.org -P /tsa -b EXAMPLE_CA_Root.pem -x EXAMPLE_TSA.pem

check_tsa -H tsa.example.org -P /tsa -b EXAMPLE_CA_Root.pem -C

check_tsa -H tsa.example.org -P /tsa -b EXAMPLE_CA_Root.pem -C -a sha512

check_tsa -u http://tsa.example.org/tsa -b EXAMPLE_CA_Root.pem -C -a sha512

Real-world example

$ wget -q 'http://www.globaltrustfinder.com/download.aspx?file=TrustAnchor\Ascertia\Ascertia%20Root%20CA%202.cer' -O ascertia_ca_2.crt
$ wget -q 'http://www.globaltrustfinder.com/download.aspx?file=TrustAnchor\Ascertia\Ascertia%20Public%20CA%201.cer' -O ascertia_publ_ca_1.crt
$ openssl x509 -in ascertia_ca_2.crt -inform DER -out ascertia_ca_2.pem -outform PEM
$ openssl x509 -in ascertia_publ_ca_1.crt -inform DER -out ascertia_publ_ca_1.pem -outform PEM
$ cat ascertia_ca_2.pem ascertia_publ_ca_1.pem > ascertia_bundle.pem

$ check_tsa -H services.globaltrustfinder.com -P /adss/tsa -C -b ascertia_bundle.pem 
TSA OK: http://services.globaltrustfinder.com/adss/tsa TSR verified

$ check_tsa -H services.globaltrustfinder.com -P /adss/tsa -C -b ascertia_bundle.pem -v
TSA OK: http://services.globaltrustfinder.com/adss/tsa TSR verified; Jun 17 08:30:17 2014 GMT; /C=GB/O=Ascertia/CN=GlobalTrustFinder-Timestamping Service; sha1; 0x31D827AD23A306; 1.1.1.1.1

Requirements

check_tsa version 0.6 is using sh, curl, GNU date, openssl and perl.

Download

check_tsa-0.6.tgz (SHA1 sum: 5d6b3eb7043302f382bb6e45075eeafd8bc60523)