-
Star
(397)
You must be signed in to star a gist -
Fork
(71)
You must be signed in to fork a gist
-
-
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
| https://rfc3161.ai.moda | |
| https://rfc3161.ai.moda/adobe | |
| https://rfc3161.ai.moda/microsoft | |
| https://rfc3161.ai.moda/apple | |
| https://rfc3161.ai.moda/any | |
| http://rfc3161.ai.moda | |
| http://timestamp.digicert.com | |
| http://timestamp.globalsign.com/tsa/r6advanced1 | |
| http://rfc3161timestamp.globalsign.com/advanced | |
| http://timestamp.sectigo.com | |
| http://timestamp.apple.com/ts01 | |
| http://tsa.mesign.com | |
| http://time.certum.pl | |
| https://freetsa.org | |
| http://tsa.startssl.com/rfc3161 | |
| http://dse200.ncipher.com/TSS/HttpTspServer | |
| http://zeitstempel.dfn.de | |
| https://ca.signfiles.com/tsa/get.aspx | |
| http://services.globaltrustfinder.com/adss/tsa | |
| https://tsp.iaik.tugraz.at/tsp/TspRequest | |
| http://timestamp.entrust.net/TSS/RFC3161sha2TS | |
| http://timestamp.acs.microsoft.com |
We switched to the Azure Code Signing timestamp server: http://timestamp.acs.microsoft.com
Thanks, I've added that one for Windows signing on https://rfc3161.ai.moda!
Would it be possible to have a list with links to root certificates of all active CAs used for https://rfc3161.ai.moda/[*] so we could download them?
I've exposed https://rfc3161.ai.moda/servers.json for now, does that work or still not quite?
I mean list of URLs to all CAs root certificates so we can download them and put to trusted list.
I can find one for ssl.com for example: https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/#ftoc-heading-4
But where can I find CA root certificate for TSA http://timestamp.acs.microsoft.com
The thing is we cannot make proper TSA request without having it's CA root certificate in local trusted list.
When the TSA can be done with any server from the list https://rfc3161.ai.moda/servers.json (thanks, that's quite nice), we need to have all root certificates in one place.
Hello! What can these servers be used for? Are they suitable for productive systems?
I am currently looking for a solution to sign log entries with some kind of trusted timestamp.
@Pique7 You can use them for anything, many folks are using https://rfc3161.ai.moda in production. We serve a few million requests per month now I think, with higher uptime than the majority of any single RFC3161 server (since we have automatic failovers).
How can i verify the timestamp? I get a response from a random server. But i also would like to verify this response locally. But for that i need CA and intermediate files i think. Could u also expose those/add them to the server list? I assume your backend has them in order to verify the response. Bonus for a example command :)
@chimmmpie I have made a script that extracts the .cer / .crt from a timestamping service
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
# Check that we have the name of the TSA service as a first arg and the URL as a second arg
if [ "$#" -ne 2 ]; then
echo "Illegal number of parameters"
echo "Usage: $0 <TSA_URL> <TSA_NAME>"
exit 1
fi
TSA_URL=$1
TSA_NAME=$2
echo "==> We are trying to get the TSA certificate from the following service : $TSA_NAME ($TSA_URL)"
echo "==> Sending a signature request..."
openssl rand 256 | openssl ts -query -data - -cert -sha256 | curl -s -S --data-binary @- "$TSA_URL" --header "Content-Type: application/timestamp-query" -o - -v > "$TSA_NAME.reply.tsr"
echo "==> Verifying the response..."
openssl ts -reply -text -in "$TSA_NAME.reply.tsr" || (echo "==> Verification failed :" && cat "$TSA_NAME.reply.tsr" && rm "$TSA_NAME.reply.tsr" && exit 1)
echo "==> Extracting the token..."
openssl ts -reply -in "$TSA_NAME.reply.tsr" -token_out -out "$TSA_NAME.token.tk"
echo "==> Extracting the TSA certificate..."
openssl pkcs7 -inform DER -in "$TSA_NAME.token.tk" -print_certs -outform PEM -out "$TSA_NAME.cer"
echo "==> Extracting the TSA certificate as a .crt..."
openssl x509 -inform PEM -in "$TSA_NAME.cer" -out "$TSA_NAME.crt"
rm "$TSA_NAME.reply.tsr" "$TSA_NAME.token.tk"Call it like ./request_crt.sh http://timestamp.acs.microsoft.com/ microsoft to get everything in microsoft.crt
I have made a script that extracts the .cer / .crt from a timestamping service
Thanks, that is great!
Would it be possible to make version of the script that downloads all certs for servers provided by https://rfc3161.ai.moda/servers.json?
@chimmmpie I have made a script that extracts the .cer / .crt from a timestamping service
That looks interesting. But it would suggest to me that the cert is already in the response? Or does anyone think that some of the openssl commands will fetch it in the background?
The -certpart in openssl ts -query -data - -cert -sha256 asks the TSA to return its cert as well
@Pique7 You can use them for anything, many folks are using
https://rfc3161.ai.modain production. We serve a few million requests per month now I think, with higher uptime than the majority of any single RFC3161 server (since we have automatic failovers).
Thanks for your reply. Now I have another question:
The TSA certificate of my current test response has a validity of 10 years. I thinks that's a lot. But what can I do when the TSA certificate expires? Sorry if this question is too stupid or off-topic/misplaced.
The signature should still be considered valid (in my opinion), since it was signed within the original lifetime of the CA. It just can’t (or rather shouldn’t) be used for new signatures.
You shouldn’t have to do anything. All of the upstream servers for rfc3161.ai.moda should rollover to using a new certificates long before the current ones expire.
I you want to see the CA that was used in the response for your request, you can use asn1parse. Example:
openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl -s -S --data-binary @- https://rfc3161.ai.moda -o - -v | openssl asn1parse -in /dev/stdin -inform DER -dump
Thanks for tip.
But once again: we are not able to generate a time stamp unless we have CA root certificate in the local "trusted" list.
Would it be possible to provide a list (URLs) of all available timestamping CA root certificates?
@vasekkral Sure. Note, these certificates do change over time.
#!/usr/bin/env bash
# Available cryptographic hash algorithms for timestamp requests
# These algorithms are tried sequentially until a successful response is received
hash_algorithms=(
"sha512" "blake2b512" "blake2s256" "md4" "md5" "md5-sha1" "mdc2" "ripemd"
"ripemd160" "rmd160" "sha1" "sha224" "sha256" "sha3-224" "sha3-256"
"sha3-384" "sha3-512" "sha384" "sha512-224" "sha512-256" "shake128"
"shake256" "sm3" "ssl3-md5" "ssl3-sha1" "whirlpool"
)
# Attempts to obtain a timestamp token from a TSA server using specified parameters
# Returns 0 on success, 1 on failure
try_timestamp_request() {
local url="$1" # TSA server endpoint
local hash_algo="$2" # Cryptographic hash algorithm
local tmp_query="$3" # Path to store the timestamp request
local tmp_reply="$4" # Path to store the server's response
local tmp_token="$5" # Path to store the extracted timestamp token
# Process flow:
# 1. Generate random data as input
# 2. Create a timestamp query using the specified hash algorithm
# 3. Send the query to the TSA server
# 4. Extract the timestamp token from the response
if openssl rand 512 | \
openssl ts -query -data - -cert -"$hash_algo" > "$tmp_query" 2>/dev/null && \
curl -H "Content-Type: application/timestamp-query" \
-H "Accept: application/timestamp-reply" \
-s -S --data-binary @"$tmp_query" "$url" -o "$tmp_reply" && \
openssl ts -reply -in "$tmp_reply" -token_out -out "$tmp_token" 2>/dev/null; then
return 0 # All operations completed successfully
else
return 1 # One or more operations failed
fi
}
# Main processing loop: Retrieve and process TSA server information
curl -s https://rfc3161.ai.moda/servers.json | \
jq -r '.[] | {name: .name, url: .url} | @json' | \
while read -r line; do
# Extract server details from JSON response
name=$(echo "$line" | jq -r '.name') # Server's friendly name
url=$(echo "$line" | jq -r '.url') # Server's API endpoint
# Create filesystem-safe server name by removing special characters
safe_name=$(echo "$name" | tr -c '[:alnum:]' '_' | tr -s '_' | sed 's/^_//;s/_$//')
# Create temporary storage for request/response data
tmp_query=$(mktemp)
tmp_reply=$(mktemp)
tmp_token=$(mktemp)
success=false # Tracks if any attempt succeeded
successful_hash="" # Records which hash algorithm worked
# Try each hash algorithm until successful
for hash_algo in "${hash_algorithms[@]}"; do
echo "Trying $hash_algo for $name..."
if try_timestamp_request "$url" "$hash_algo" "$tmp_query" "$tmp_reply" "$tmp_token"; then
success=true
successful_hash="$hash_algo"
break
fi
done
if [ "$success" = true ]; then
# Extract and save the CA certificate from the successful response
if openssl pkcs7 -inform DER -in "$tmp_token" -print_certs -outform PEM -out "${safe_name}.pem" 2>/dev/null; then
echo "Successfully extracted CA certificate for: $name (using $successful_hash)"
echo "$name,$url,$successful_hash" >> successful_servers.log
else
echo "$url" >> failed_ca_certs.log
echo "Failed to extract CA certificate for: $name"
fi
else
echo "$url" >> failed_ca_certs.log
echo "Failed to get timestamp response from: $name (tried all hash algorithms)"
fi
# Cleanup temporary files to prevent disk space issues
rm -f "$tmp_query" "$tmp_reply" "$tmp_token"
doneThis will dump the full certificate chain for all of the CAs. e.g. this is what my folder looks like after running the script:
APED.pem Entrust.pem QuoVadis_China.pem
Adacom.pem FreeTSA.pem QuoVadis_EU.pem
Aloaha.pem GlobalSign.pem SDA_GOV_GE.pem
Apple.pem IdenTrust.pem SEP_Bulgaria.pem
Azure.pem Instituto_dos_Registos_e_do_Notariado_I_P.pem SSL_com.pem
BalTstamp.pem Izenpe.pem Sectigo.pem
Belgium_Federal_Goverment.pem Lex_Persona.pem SwissSign.pem
CNBS.pem Mahidol_University.pem Swiss_Goverment.pem
CatCert.pem MeSign.pem TSA_SINPE.pem
Certum.pem Netlock.pem successful_servers.log
Digicert.pem QuoVadis.pem
@Manouchehri great, thanks a lot, works perfectly. Now we can call our "time stamper" util with your load balancer.
I created a simple time stamp query http(s) client and sent a simple query to the servers mentioned in your list. Here are the simplified results:
Probably some of these URLs need a path (e.g. freetsa.org should be http(s)://freetsa.org/tsr).
http://timestamp.globalsign.com/tsa/r6advanced1: OK
http://timestamp.digicert.com: OK
http://timestamp.acs.microsoft.com: OK
http://time.certum.pl: OK
http://rfc3161timestamp.globalsign.com/advanced: OK
http://zeitstempel.dfn.de: fail
http://tsa.startssl.com/rfc3161: fail
http://tsa.mesign.com: fail
http://timestamp.sectigo.com: fail
http://timestamp.entrust.net/TSS/RFC3161sha2TS: fail
http://timestamp.apple.com/ts01: fail
https://tsp.iaik.tugraz.at/tsp/TspRequest: fail
https://rfc3161.ai.moda/microsoft: fail
https://rfc3161.ai.moda: fail
https://rfc3161.ai.moda/apple: fail
https://rfc3161.ai.moda/any: fail
https://rfc3161.ai.moda/adobe: fail
https://freetsa.org: fail
http://services.globaltrustfinder.com/adss/tsa: fail
https://ca.signfiles.com/tsa/get.aspx: fail
http://rfc3161.ai.moda: fail
http://dse200.ncipher.com/TSS/HttpTspServer: fail
@HeikoSchlittermann Could you please explain how your client works? Those results seem very wrong to me.
The following have stopped working for years:
http://tsa.startssl.com/rfc3161
http://services.globaltrustfinder.com/adss/tsa
http://dse200.ncipher.com/TSS/HttpTspServer
The following, as mentioned, had the URL wrong:
https://freetsa.org it should be: https://freetsa.org/tsr
The rest is working properly.
So something is wrong with thou simple time stamp client.
rfc3161 timestamping servers – updated September 2025
∞ = long-term validity (LTV) enabled
↑ = increased sigvalue size; if using Adobe Acrobat on Windows, a registry modification may be required in accordance with these instructions
Working
QUALIFIED (EU Trust List)
http://tss.accv.es:8318/tsa ∞
https://timestamp.aped.gov.gr/qtss ↑
http://tsa.baltstamp.lt ∞
http://tsa.belgium.be/connect ∞
http://ts.cartaodecidadao.pt/tsa/server ∞
http://ts.quovadisglobal.com/eu ↑∞
http://tsa.izenpe.com ∞
http://timestamp.sectigo.com/qualified
TRUSTED (Adobe Trust List)
http://rfc3161.ai.moda (and other URL variants) ↑
http://timestamp.comodoca.com (and other URL variants) ↑
http://timestamp.digicert.com
http://timestamp.entrust.net (and other URL variants; issued by Sectigo) ↑∞
http://timestamp.identrust.com
http://timestamp.sectigo.com
http://ts.quovadisglobal.com/ch ↑
http://ts.ssl.com
http://tsa.swisssign.net ↑
https://tsa.wotrus.com
UNTRUSTED
http://timestamp.apple.com/ts01
http://time.certum.pl ↑
https://tsa.cesnet.cz:3162/tsa
http(s)://zeitstempel.dfn.de ↑
http://tsa.sinpe.fi.cr/tsaHttp/ (trailing slash required)
http://timestamp.globalsign.com/advanced (and other URL variants)
https://freetsa.org/tsr
http://tsa.lex-persona.com/tsa
https://tsa.mahidol.ac.th/tsa/get.aspx
https://time.mconnect.mc
http://timestamp.acs.microsoft.com
http://dss.nowina.lu/pki-factory/tsa/good-tsa
http://timestamp.ssl.trustwave.com
Not working
http://psis.catcert.cat/psis/catcert/tsp (timeout)
http://tsa.mesign.com (timeout/crash, likely moved to https://tsa.wotrus.com)
http://tsa.safecreative.org (timeout/crash)
http://tsa.sep.bg (timeout/gone)
http://sha256timestamp.ws.symantec.com/sha256/timestamp (timeout/error)
https://tsp.iaik.tugraz.at/tsp/TspRequest (error)
As of a few days ago, http://timestamp.digicert.com no longer support SHA-512 or SHA-384 hashing algorithm for timestamping.
I'm using signtool.exe version 10.0.19041.685.
Using /td SHA512 or /td SHA384 now fails with http://timestamp.digicert.com but works with http://timestamp.sectigo.com:
Fails:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"
Works:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"
Using /td SHA256 works with http://timestamp.digicert.com:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA256 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"
Can someone tell me how I can verify a timestamp from timestamp.acs.microsoft.com .
I have now tried various approaches, but somehow I seem to be missing the right root and intermediate certificates.
openssl ts -query -data "sample" -no_nonce -sha512 -cert -out file.tsq
curl -sH "Content-Type: application/timestamp-query" --data-binary "@file.tsq" http://timestamp.acs.microsoft.com > ms.tsr
echo
echo "Verify (Not Certs)"
openssl ts -verify -in ms.tsr -queryfile file.tsq
echo
echo "Verify2 (MS Root Cert)"
curl -s http://www.microsoft.com/pkiops/certs/microsoft%20identity%20verification%20root%20certificate%20authority%202020.crt > mivra.crt
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile mivra.crt
echo
echo "Verify3 (Extract Cert)"
openssl ts -reply -in "ms.tsr" -token_out -out "ms.token.tk"
openssl pkcs7 -inform DER -in "ms.token.tk" -print_certs -outform PEM -out "ms.cer"
openssl x509 -inform PEM -in "ms.cer" -out "ms.crt"
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile ms.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Verify (Not Certs)
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
4037A577EA7E0000:error:17800064:time stamp routines:ts_verify_cert:
certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get local issuer certificate
Verify2 (MS Root Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Error loading file mivra.crt
Verification: FAILED
40E76D29C1730000:error:05800088:x509 certificate routines:
X509_load_cert_crl_file_ex:no certificate or crl found:../crypto/x509/by_file.c:251:
Verify3 (Extract Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
40170E69E4720000:error:17800064:time stamp routines:
ts_verify_cert:certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get issuer certificate
@TylerDurden2019 Digicert works fine for me with SHA-512 and SHA-384.
openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl --data-binary @- https://rfc3161.ai.moda/digicert -o - -v | openssl ts -reply -text -in /dev/stdin
openssl rand 512 | openssl ts -query -data - -cert -sha384 | curl --data-binary @- https://rfc3161.ai.moda/digicert -o - -v | openssl ts -reply -text -in /dev/stdinStatus info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 2.16.840.1.114412.7.1
Hash Algorithm: sha512
Message data:
0000 - 4a bd d6 6e cf bb fc 97-95 f4 fe 25 07 6a d9 27 J..n.......%.j.'
0010 - d7 e6 b3 e1 3e ed d4 2b-44 a1 2f f0 44 91 c1 49 ....>..+D./.D..I
0020 - 22 84 50 f3 98 ba fc 4c-d6 ab df 48 2f 97 f5 36 ".P....L...H/..6
0030 - 34 5f 18 df 83 f6 6b 6d-fe be 61 c3 b3 3c de 2d 4_....km..a..<.-
Serial number: 0x9CEFF4C18E28407E21D72B318DDEDD66
Time stamp: May 26 14:31:04 2025 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0x775FF9F2CBADC6AC
TSA: unspecified
Extensions:
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 2.16.840.1.114412.7.1
Hash Algorithm: sha384
Message data:
0000 - 9e 2e af 17 b7 c9 3d c7-51 6e 18 4a 5f 1f 0d e0 ......=.Qn.J_...
0010 - e8 eb b4 bc 4d 28 ac 90-9b bb d8 b0 7c 7b b2 48 ....M(......|{.H
0020 - 02 fe a0 12 f0 2c b6 39-5f 69 a5 49 97 37 dd ad .....,.9_i.I.7..
Serial number: 0xFC802032394A2B116538CBAA20EECCB5
Time stamp: May 26 14:32:19 2025 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0xECD603090AAC72F5
TSA: unspecified
Extensions:
We switched to the Azure Code Signing timestamp server: http://timestamp.acs.microsoft.com
Thanks, I've added that one for Windows signing on https://rfc3161.ai.moda!
Could you please add http://timestamp.acs.microsoft.com into https://rfc3161.ai.moda/servers.json too?
Could you please add http://timestamp.acs.microsoft.com into https://rfc3161.ai.moda/servers.json too?
@vasekkral It already is, it's listed as https://rfc3161.ai.moda/azure :)
Could you please add http://timestamp.acs.microsoft.com into https://rfc3161.ai.moda/servers.json too?
@vasekkral It already is, it's listed as https://rfc3161.ai.moda/azure :)
Thanks for info.
But as it is not exactly listed in https://rfc3161.ai.moda/servers.json the tool for downloading CA root certificates does not download the one for http://timestamp.acs.microsoft.com
But as it is not exactly listed in https://rfc3161.ai.moda/servers.json the tool for downloading CA root certificates does not download the one for http://timestamp.acs.microsoft.com
@vasekkral Can you share how you're checking that? On my end, I can definitely see that https://rfc3161.ai.moda/azure is proxied to http://timestamp.acs.microsoft.com. You can always verify this by looking at the via header. (e.g. via: HTTP/1.0 timestamp.acs.microsoft.com, via: HTTP/1.0 timestamp.digicert.com, via: HTTP/1.0 timestamp.sectigo.com, etc.)
openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl --data-binary @- https://rfc3161.ai.moda/azure -o rand_response.tsr -v
# ^ you can see `< via: HTTP/1.0 timestamp.acs.microsoft.com` in the response headers
openssl ts -reply -in rand_response.tsr -token_out -out rand_response.tsr.pkcs7
openssl pkcs7 -inform DER -in rand_response.tsr.pkcs7 -print_certs -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:00:00:00:05:e5:cf:0f:ff:66:2e:c9:87:00:00:00:00:00:05
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, O=Microsoft Corporation, CN=Microsoft Identity Verification Root Certificate Authority 2020
Validity
Not Before: Nov 19 20:32:31 2020 GMT
Not After : Nov 19 20:42:31 2035 GMT
Subject: C=US, O=Microsoft Corporation, CN=Microsoft Public RSA Timestamping CA 2020
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:9e:7c:e7:52:63:fd:e0:c5:9f:05:7d:63:b5:06:
22:a3:1c:1e:d7:e7:97:33:d1:13:05:bd:65:46:47:
77:91:c1:5d:70:6f:7f:b2:ab:43:97:0c:4a:a1:52:
1c:6a:a0:db:fa:89:85:8a:8e:43:1c:2e:11:05:c6:
f2:40:78:d7:0b:03:24:fe:5d:d3:39:8b:60:a0:18:
f1:9c:6f:de:56:24:b8:b0:ec:7c:cb:88:12:ab:c6:
60:e3:d4:44:01:fe:61:b9:78:48:91:04:4a:7b:74:
31:b3:c4:a0:a7:4d:8a:1c:0c:e7:11:af:d2:b1:a8:
7c:9d:6a:39:84:93:35:c7:39:e4:46:c1:4f:bb:aa:
df:0c:77:99:78:6d:56:6b:5c:08:4a:f9:64:a4:e4:
28:a1:35:0b:16:6f:34:f5:9d:19:62:54:3c:2e:9e:
e2:e4:5f:58:72:21:65:c8:02:b0:9f:ac:a3:37:f9:
11:e1:f9:2a:b9:45:9f:1a:63:28:a4:da:bf:07:c5:
3f:a5:da:19:91:96:50:6f:13:65:a8:93:a2:04:68:
02:5a:9c:7a:f6:e2:aa:2a:14:cf:56:2d:e0:54:4a:
e7:73:fa:a2:f9:d4:7c:03:63:22:03:3d:24:37:49:
e1:ed:2a:88:34:66:e6:c3:93:88:44:2d:04:b1:9d:
f5:58:5d:d4:c6:9d:c6:81:9c:1e:b4:42:b1:2e:6b:
3b:dc:a1:bf:67:e3:24:7a:e6:95:0d:04:21:79:a9:
e0:38:43:06:27:8a:50:64:7e:79:9e:02:34:4d:dc:
b5:6e:2e:bd:20:d0:55:e4:a9:f6:1d:52:68:f5:7c:
51:61:1f:c9:3c:60:1a:33:ac:46:97:9e:c4:8b:de:
47:53:0f:4d:57:fb:82:df:21:63:ae:17:34:f3:ba:
8b:25:06:b0:48:2d:f1:cd:8f:c4:5f:3b:13:e0:8e:
ec:0d:bc:4e:98:cd:ab:97:8b:8a:2b:a7:84:a6:ea:
d1:76:e3:90:da:14:e4:98:6d:61:4a:e5:98:06:e9:
c5:18:db:f6:d4:ab:78:37:6d:00:2a:66:de:b9:29:
c6:9e:c0:42:77:67:23:44:a1:bb:f7:e4:d7:fa:c4:
de:85:ac:0e:a3:17:de:38:ef:e3:47:bc:28:de:58:
b0:90:67:73:3c:96:07:82:72:79:e1:4c:5b:72:41:
7d:d7:80:2a:1c:e8:84:57:bc:53:9c:3d:5a:eb:dc:
3f:51:3c:70:8c:4b:a0:a4:83:cc:20:81:3a:ed:21:
59:d8:f3:28:db:bc:63:94:b0:07:59:6d:e5:d4:21:
00:16:32:cd:1d:dd:c4:43:bf:4f:52:bf:05:51:77:
ad:5e:bd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
6B:69:28:3A:35:2F:48:63:40:CF:7B:D8:AF:49:E9:3E:D9:3D:DB:21
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: http://www.microsoft.com/pkiops/Docs/Repository.htm
X509v3 Extended Key Usage:
Time Stamping
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
C8:7E:D2:6A:85:2A:1B:CA:19:98:04:07:27:CF:50:10:4F:68:A8:A2
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.microsoft.com/pkiops/crl/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pkiops/certs/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crt
Signature Algorithm: sha384WithRSAEncryption
Signature Value:
5f:88:76:c7:7e:6d:b5:5a:15:75:e7:4c:78:68:fa:4e:e1:d8:
44:99:25:15:a5:b8:b1:34:39:af:e9:3b:ee:20:7b:f5:c4:8b:
35:ef:86:cd:18:ef:e2:95:63:26:f8:9c:79:6e:80:17:ac:9c:
5a:81:18:47:42:d8:85:a6:b4:a3:32:4b:53:96:22:f8:b0:a6:
72:b7:68:be:49:79:dc:33:6d:e0:45:ec:f3:b2:83:a2:06:1b:
f5:e1:84:9d:d4:a9:67:96:4c:ef:82:cd:bd:5c:d8:d3:f9:cf:
21:21:f3:d1:7b:da:ef:54:23:0f:88:7e:f3:3d:97:30:e6:73:
63:b6:10:d0:fb:30:f9:eb:72:35:9d:42:7a:cb:9f:53:6d:75:
ac:bb:25:2c:ab:0e:f0:5d:9a:06:cd:9c:22:8d:64:f9:a1:ce:
86:bc:3d:c7:0e:89:09:63:8d:35:ba:19:e3:de:e6:c1:85:b9:
11:f3:74:5b:7c:cb:e6:cd:da:77:85:ed:9b:bc:85:33:b5:23:
ae:17:34:6a:ac:b7:c4:be:c3:e4:54:76:27:bc:7d:70:b5:8c:
ab:b7:9b:d2:86:22:a1:78:6a:57:6b:60:16:a6:ca:1d:e0:e2:
72:4f:8f:f2:d1:d8:20:5a:2f:20:fe:d8:1b:86:64:25:66:a0:
d4:7f:75:2a:51:0b:19:68:b7:48:bb:f5:d2:8e:0a:19:a8:38:
da:9b:30:8f:26:d3:8b:8b:68:41:c0:bf:8a:b0:28:74:35:bc:
1c:db:57:f9:c6:f3:d2:c3:29:b4:52:4a:f8:a3:9b:02:70:c5:
1c:4b:2e:93:10:fe:ee:31:5f:11:5f:47:87:ff:82:4b:12:91:
b2:69:ee:8a:8b:c2:58:83:9b:f8:7e:c3:46:89:fd:4e:5c:72:
76:21:61:be:ef:3c:a3:4c:37:e4:99:0d:6c:9c:53:93:83:21:
17:f2:a0:69:79:f4:1b:17:47:f1:e9:44:6b:62:26:ab:8e:60:
69:af:03:fa:64:e6:f0:b5:95:c9:db:78:ca:dc:58:3f:f6:ea:
8c:de:3d:0f:d3:59:f3:57:28:13:a6:90:5a:6f:3c:4f:02:1f:
e1:1e:18:65:b3:a9:30:a3:74:0b:27:a3:68:f3:4d:e3:52:c6:
5c:77:82:50:c6:26:07:1d:cf:90:ff:00:0c:70:f5:27:60:ab:
ff:ab:63:b8:e3:82:ce:d7:e9:fa:8f:4d:73:e6:68:20:09:29:
51:c0:3f:5f:68:12:32:48:07:00:f5:2f:21:db:68:48:01:c4:
50:a8:81:84:8e:89:42:2b:d1:7a:9c:af:59:c9:7e:25:86:d8:
6c:18:7b:a6:68:00:5d:5b
-----BEGIN CERTIFICATE-----
MIIHgjCCBWqgAwIBAgITMwAAAAXlzw//Zi7JhwAAAAAABTANBgkqhkiG9w0BAQwF
ADB3MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
MUgwRgYDVQQDEz9NaWNyb3NvZnQgSWRlbnRpdHkgVmVyaWZpY2F0aW9uIFJvb3Qg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMjAwHhcNMjAxMTE5MjAzMjMxWhcNMzUx
MTE5MjA0MjMxWjBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENv
cnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3Rh
bXBpbmcgQ0EgMjAyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ58
51Jj/eDFnwV9Y7UGIqMcHtfnlzPREwW9ZUZHd5HBXXBvf7KrQ5cMSqFSHGqg2/qJ
hYqOQxwuEQXG8kB41wsDJP5d0zmLYKAY8Zxv3lYkuLDsfMuIEqvGYOPURAH+Ybl4
SJEESnt0MbPEoKdNihwM5xGv0rGofJ1qOYSTNcc55EbBT7uq3wx3mXhtVmtcCEr5
ZKTkKKE1CxZvNPWdGWJUPC6e4uRfWHIhZcgCsJ+sozf5EeH5KrlFnxpjKKTavwfF
P6XaGZGWUG8TZaiTogRoAlqcevbiqioUz1Yt4FRK53P6ovnUfANjIgM9JDdJ4e0q
iDRm5sOTiEQtBLGd9Vhd1MadxoGcHrRCsS5rO9yhv2fjJHrmlQ0EIXmp4DhDBieK
UGR+eZ4CNE3ctW4uvSDQVeSp9h1SaPV8UWEfyTxgGjOsRpeexIveR1MPTVf7gt8h
Y64XNPO6iyUGsEgt8c2PxF87E+CO7A28TpjNq5eLiiunhKbq0XbjkNoU5JhtYUrl
mAbpxRjb9tSreDdtACpm3rkpxp7AQndnI0Shu/fk1/rE3oWsDqMX3jjv40e8KN5Y
sJBnczyWB4JyeeFMW3JBfdeAKhzohFe8U5w9WuvcP1E8cIxLoKSDzCCBOu0hWdjz
KNu8Y5SwB1lt5dQhABYyzR3dxEO/T1K/BVF3rV69AgMBAAGjggIbMIICFzAOBgNV
HQ8BAf8EBAMCAYYwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFGtpKDo1L0hj
QM972K9J6T7ZPdshMFQGA1UdIARNMEswSQYEVR0gADBBMD8GCCsGAQUFBwIBFjNo
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5o
dG0wEwYDVR0lBAwwCgYIKwYBBQUHAwgwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBD
AEEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTIftJqhSobyhmYBAcnz1AQ
T2ioojCBhAYDVR0fBH0wezB5oHegdYZzaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
L3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwSWRlbnRpdHklMjBWZXJpZmljYXRpb24l
MjBSb290JTIwQ2VydGlmaWNhdGUlMjBBdXRob3JpdHklMjAyMDIwLmNybDCBlAYI
KwYBBQUHAQEEgYcwgYQwgYEGCCsGAQUFBzAChnVodHRwOi8vd3d3Lm1pY3Jvc29m
dC5jb20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMElkZW50aXR5JTIwVmVyaWZp
Y2F0aW9uJTIwUm9vdCUyMENlcnRpZmljYXRlJTIwQXV0aG9yaXR5JTIwMjAyMC5j
cnQwDQYJKoZIhvcNAQEMBQADggIBAF+Idsd+bbVaFXXnTHho+k7h2ESZJRWluLE0
Oa/pO+4ge/XEizXvhs0Y7+KVYyb4nHlugBesnFqBGEdC2IWmtKMyS1OWIviwpnK3
aL5JedwzbeBF7POyg6IGG/XhhJ3UqWeWTO+Czb1c2NP5zyEh89F72u9UIw+IfvM9
lzDmc2O2END7MPnrcjWdQnrLn1Ntday7JSyrDvBdmgbNnCKNZPmhzoa8PccOiQlj
jTW6GePe5sGFuRHzdFt8y+bN2neF7Zu8hTO1I64XNGqst8S+w+RUdie8fXC1jKu3
m9KGIqF4aldrYBamyh3g4nJPj/LR2CBaLyD+2BuGZCVmoNR/dSpRCxlot0i79dKO
ChmoONqbMI8m04uLaEHAv4qwKHQ1vBzbV/nG89LDKbRSSvijmwJwxRxLLpMQ/u4x
XxFfR4f/gksSkbJp7oqLwliDm/h+w0aJ/U5ccnYhYb7vPKNMN+SZDWycU5ODIRfy
oGl59BsXR/HpRGtiJquOYGmvA/pk5vC1lcnbeMrcWD/26ozePQ/TWfNXKBOmkFpv
PE8CH+EeGGWzqTCjdAsno2jzTeNSxlx3glDGJgcdz5D/AAxw9Sdgq/+rY7jjgs7X
6fqPTXPmaCAJKVHAP19oEjJIBwD1LyHbaEgBxFCogYSOiUIr0Xqcr1nJfiWG2GwY
e6ZoAF1b
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:00:00:00:55:d9:dd:69:26:28:f9:f8:e2:00:00:00:00:00:55
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, O=Microsoft Corporation, CN=Microsoft Public RSA Timestamping CA 2020
Validity
Not Before: Oct 23 20:46:49 2025 GMT
Not After : Oct 22 20:46:49 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft America Operations, OU=nShield TSS ESN:7D00-05E0-D947, CN=Microsoft Public RSA Time Stamping Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bd:b9:1f:92:1e:59:48:b3:f4:30:25:16:69:f6:
b0:fc:a6:68:55:9b:bd:89:0c:7c:af:92:70:85:9b:
dd:ad:48:bc:e9:48:c2:08:54:0e:36:34:1a:9e:b2:
31:18:5f:61:44:62:19:2d:06:79:d2:01:eb:2c:2f:
b8:7e:95:04:25:f7:f9:b7:4e:15:c0:1c:96:0b:6f:
db:58:eb:a4:e8:d9:9a:4e:1f:49:a4:f6:43:70:6c:
cd:47:de:50:96:bc:a3:7c:48:ed:97:e8:31:8f:5d:
b3:34:f1:1d:00:33:e9:95:57:f3:b7:c7:18:45:61:
41:c7:f1:5b:7d:c8:74:f2:4e:8f:f6:9e:e3:5f:6a:
b5:8c:53:db:53:15:98:27:ec:4e:c8:60:b5:68:a8:
43:19:8e:5b:fb:cc:0b:df:db:fa:a8:2d:07:14:8c:
7f:bf:7c:be:6d:ea:7e:68:45:e8:a0:af:15:a1:e5:
8a:fa:cc:df:68:58:d7:a3:c6:13:72:f4:3c:50:be:
2c:ce:ef:47:15:3b:99:36:fe:af:be:82:7b:26:ef:
a8:e5:a4:e3:e7:5b:29:87:ed:3e:15:75:b7:f1:39:
4b:fe:b0:c1:77:98:9a:ef:d8:ec:90:bb:4e:78:76:
c3:8e:46:e5:8e:29:70:cd:e8:1c:c6:ff:62:e3:d1:
74:e5:9a:d2:ff:91:0b:64:20:98:d5:56:aa:3b:b1:
0e:2c:a5:5a:c7:17:40:3b:9a:32:d6:f6:f4:07:1d:
19:45:55:f5:9b:11:63:63:36:b2:d8:40:b4:e7:59:
3a:c8:62:47:9b:9f:32:d6:87:b6:20:a4:5a:fd:23:
35:f8:14:c6:b1:ee:af:1c:d8:b9:43:67:79:66:7a:
11:f4:03:80:50:30:f0:24:82:2a:44:8e:2b:67:3d:
8c:4a:29:e1:d7:55:ab:5d:31:bd:ba:b1:76:ba:8c:
9d:e5:57:be:f2:1c:5e:b3:d0:01:78:fd:8f:61:02:
a5:5d:84:c0:c6:f7:5a:79:a9:c3:4d:0f:ef:c2:69:
cc:fb:24:dc:5b:3a:d5:9b:ce:19:df:c5:d5:17:0e:
06:ee:9f:d9:35:9d:a7:b1:cb:ef:ea:ea:ee:d8:07:
af:5d:cc:95:d6:df:21:6b:b8:96:9a:18:60:4d:60:
4d:06:b5:62:b8:39:5c:de:23:ef:3b:3d:92:54:f6:
cf:7a:a8:72:63:f3:57:c0:d6:42:02:07:36:1f:9a:
4e:ce:db:ba:33:04:31:0c:88:ed:7b:75:cc:fc:59:
0a:07:11:e8:7d:2d:9a:6c:d4:ff:d0:71:be:c5:9b:
45:a9:42:43:6b:18:1b:25:ae:a5:37:5c:e1:ee:ca:
63:b9:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
56:04:5F:10:6D:DC:08:03:F0:C8:BF:A9:C9:16:CA:C1:D7:AC:65:B6
X509v3 Authority Key Identifier:
6B:69:28:3A:35:2F:48:63:40:CF:7B:D8:AF:49:E9:3E:D9:3D:DB:21
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.microsoft.com/pkiops/crl/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pkiops/certs/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crt
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage: critical
Time Stamping
X509v3 Key Usage: critical
Digital Signature
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.311.76.509.1.1
CPS: http://www.microsoft.com/pkiops/Docs/Repository.htm
Policy: 2.23.140.1.4.2
Signature Algorithm: sha384WithRSAEncryption
Signature Value:
52:1e:e1:92:54:7b:da:94:29:c5:9e:5b:2a:5c:84:1e:7c:7d:
71:3f:64:85:af:d8:3e:57:3f:9f:e4:fe:d0:7b:2c:23:7d:06:
f9:8d:49:52:99:dd:57:9c:95:03:3d:ef:cc:1f:12:fb:af:74:
c4:12:52:fe:98:db:46:e8:20:cf:03:2b:52:b5:21:4f:5c:3f:
6d:4c:1b:41:31:88:7c:5a:aa:3a:e2:91:fd:aa:6d:fa:d7:22:
2a:78:11:fd:ef:d9:b3:58:29:0c:42:c4:dd:d2:73:3a:75:49:
7d:07:ee:ea:8a:d8:be:4e:85:f0:c4:89:77:f5:e6:2a:2e:e6:
18:7e:10:f6:9a:aa:9e:3d:73:33:50:a4:90:ce:47:fb:df:26:
08:54:73:fa:9c:b2:50:cf:86:80:99:a5:9c:7c:6f:63:83:bf:
2c:06:40:d5:f0:aa:56:ec:98:24:b6:e2:e1:a6:12:44:37:50:
7e:49:51:e3:7a:73:dd:72:6a:c5:5c:85:2e:fc:ae:23:2b:9b:
a4:7d:66:90:22:3b:9a:5f:34:a3:06:53:63:0b:9b:50:37:a6:
9d:3d:f0:37:1b:15:30:1c:f7:91:e1:e9:0b:e4:87:ff:f6:f0:
5f:d7:7b:66:cc:15:be:83:2f:b4:b0:d1:93:bd:e6:fd:20:bf:
46:53:c8:97:f1:4b:f2:c2:c5:fa:da:78:42:08:f4:54:85:38:
a0:0c:12:9d:73:34:54:ac:da:e7:b4:18:68:c1:b7:dc:84:10:
c5:30:bf:1a:bd:13:11:73:d1:a6:73:62:6f:22:bc:97:df:7e:
92:15:0e:75:ff:fa:b5:51:4d:87:31:22:44:32:15:8b:25:22:
16:25:58:5f:52:8c:2c:39:af:8f:6a:6a:48:cc:44:d8:7c:5b:
d3:bb:69:aa:28:95:25:59:95:e4:19:8c:6b:74:2b:c2:73:32:
5c:a9:ea:1a:76:95:b5:ba:5e:a4:71:d9:c3:87:6d:bc:49:0f:
19:84:37:3a:21:19:4c:e2:23:5d:e5:23:68:36:05:fe:6a:89:
b7:c2:e1:b2:8d:46:92:68:f6:56:c4:f0:75:1b:63:4a:89:88:
4f:2e:dd:25:3c:78:34:1a:c9:23:d7:38:48:49:8f:14:42:43:
0c:0e:bd:e8:d8:98:11:b9:3f:b0:9c:91:03:41:4a:79:e5:d7:
6f:85:29:12:a0:3e:88:f4:32:ff:b3:e4:e3:21:8f:dc:f6:32:
da:5b:9c:72:c0:91:ea:74:a1:d4:02:94:4c:b2:08:6f:ee:47:
9b:4a:e6:b5:ba:99:91:f9:3a:ae:7a:51:64:b4:34:8e:8d:57:
52:46:4b:b2:6b:8b:a8:c5
-----BEGIN CERTIFICATE-----
MIIHlzCCBX+gAwIBAgITMwAAAFXZ3WkmKPn44gAAAAAAVTANBgkqhkiG9w0BAQwF
ADBhMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
MTIwMAYDVQQDEylNaWNyb3NvZnQgUHVibGljIFJTQSBUaW1lc3RhbXBpbmcgQ0Eg
MjAyMDAeFw0yNTEwMjMyMDQ2NDlaFw0yNjEwMjIyMDQ2NDlaMIHbMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQg
QW1lcmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046N0Qw
MC0wNUUwLUQ5NDcxNTAzBgNVBAMTLE1pY3Jvc29mdCBQdWJsaWMgUlNBIFRpbWUg
U3RhbXBpbmcgQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAvbkfkh5ZSLP0MCUWafaw/KZoVZu9iQx8r5JwhZvdrUi86UjCCFQONjQanrIx
GF9hRGIZLQZ50gHrLC+4fpUEJff5t04VwByWC2/bWOuk6NmaTh9JpPZDcGzNR95Q
lryjfEjtl+gxj12zNPEdADPplVfzt8cYRWFBx/Fbfch08k6P9p7jX2q1jFPbUxWY
J+xOyGC1aKhDGY5b+8wL39v6qC0HFIx/v3y+bep+aEXooK8VoeWK+szfaFjXo8YT
cvQ8UL4szu9HFTuZNv6vvoJ7Ju+o5aTj51sph+0+FXW38TlL/rDBd5ia79jskLtO
eHbDjkbljilwzegcxv9i49F05ZrS/5ELZCCY1VaqO7EOLKVaxxdAO5oy1vb0Bx0Z
RVX1mxFjYzay2EC051k6yGJHm58y1oe2IKRa/SM1+BTGse6vHNi5Q2d5ZnoR9AOA
UDDwJIIqRI4rZz2MSinh11WrXTG9urF2uoyd5Ve+8hxes9ABeP2PYQKlXYTAxvda
eanDTQ/vwmnM+yTcWzrVm84Z38XVFw4G7p/ZNZ2nscvv6uru2AevXcyV1t8ha7iW
mhhgTWBNBrViuDlc3iPvOz2SVPbPeqhyY/NXwNZCAgc2H5pOztu6MwQxDIjte3XM
/FkKBxHofS2abNT/0HG+xZtFqUJDaxgbJa6lN1zh7spjuQ8CAwEAAaOCAcswggHH
MB0GA1UdDgQWBBRWBF8QbdwIA/DIv6nJFsrB16xltjAfBgNVHSMEGDAWgBRraSg6
NS9IY0DPe9ivSek+2T3bITBsBgNVHR8EZTBjMGGgX6BdhltodHRwOi8vd3d3Lm1p
Y3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBQdWJsaWMlMjBSU0El
MjBUaW1lc3RhbXBpbmclMjBDQSUyMDIwMjAuY3JsMHkGCCsGAQUFBwEBBG0wazBp
BggrBgEFBQcwAoZdaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0
cy9NaWNyb3NvZnQlMjBQdWJsaWMlMjBSU0ElMjBUaW1lc3RhbXBpbmclMjBDQSUy
MDIwMjAuY3J0MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgw
DgYDVR0PAQH/BAQDAgeAMGYGA1UdIARfMF0wUQYMKwYBBAGCN0yDfQEBMEEwPwYI
KwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9S
ZXBvc2l0b3J5Lmh0bTAIBgZngQwBBAIwDQYJKoZIhvcNAQEMBQADggIBAFIe4ZJU
e9qUKcWeWypchB58fXE/ZIWv2D5XP5/k/tB7LCN9BvmNSVKZ3VeclQM978wfEvuv
dMQSUv6Y20boIM8DK1K1IU9cP21MG0ExiHxaqjrikf2qbfrXIip4Ef3v2bNYKQxC
xN3Sczp1SX0H7uqK2L5OhfDEiXf15iou5hh+EPaaqp49czNQpJDOR/vfJghUc/qc
slDPhoCZpZx8b2ODvywGQNXwqlbsmCS24uGmEkQ3UH5JUeN6c91yasVchS78riMr
m6R9ZpAiO5pfNKMGU2MLm1A3pp098DcbFTAc95Hh6Qvkh//28F/Xe2bMFb6DL7Sw
0ZO95v0gv0ZTyJfxS/LCxfraeEII9FSFOKAMEp1zNFSs2ue0GGjBt9yEEMUwvxq9
ExFz0aZzYm8ivJfffpIVDnX/+rVRTYcxIkQyFYslIhYlWF9SjCw5r49qakjMRNh8
W9O7aaoolSVZleQZjGt0K8JzMlyp6hp2lbW6XqRx2cOHbbxJDxmENzohGUziI13l
I2g2Bf5qibfC4bKNRpJo9lbE8HUbY0qJiE8u3SU8eDQaySPXOEhJjxRCQwwOvejY
mBG5P7CckQNBSnnl12+FKRKgPoj0Mv+z5OMhj9z2MtpbnHLAkep0odQClEyyCG/u
R5tK5rW6mZH5Oq56UWS0NI6NV1JGS7Jri6jF
-----END CERTIFICATE-----
@Manouchehri I am afraid there is a confusion.
The "proxy" https://rfc3161.ai.moda/azure -> http://timestamp.acs.microsoft.com/ works fine.
The thing is that we need to regularly download CA root certificates for our timestamping service to work.
As http://timestamp.acs.microsoft.com/ is not listed in https://rfc3161.ai.moda/servers.json the script you provided for CA root certificate download does not get the certificate for http://timestamp.acs.microsoft.com/
@vasekkral Can you please provide any code to show that the certificate on https://rfc3161.ai.moda/azure vs. http://timestamp.acs.microsoft.com is different? (Spoiler hint: it's not different.)
Microsoft Azure's timestamping server itself doesn't use the exact same full certificate chain on each result. You can check this yourself.
openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl -s --data-binary @- http://timestamp.acs.microsoft.com | openssl ts -reply -in /dev/stdin -token_out -out /dev/stdout | openssl pkcs7 -inform DER -in /dev/stdin -print_certs -text | grep "nShield TSS
Outputs from multiple runs:
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft America Operations, OU=nShield TSS ESN:7A00-05E0-D947, CN=Microsoft Public RSA Time Stamping Authority
...
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft America Operations, OU=nShield TSS ESN:7D00-05E0-D947, CN=Microsoft Public RSA Time Stamping Authority
See how the OU field changes? Microsoft's servers have more than one Thales nShield HSMs. So your idea would never have worked, except sometimes at random by pure chance.
The thing is that we need to regularly download CA root certificates for our timestamping service to work.
You are making fundamentally error(s) in your approach. If you request the certificate to be included in the TSR, there is no need to download any CA root certificates on a regular basis. You only should be downloading and trusting ONE root CA from Microsoft.
If you do this, you should not need download a new CA cert from Microsoft until 2045.
The only regular downloads you should do, are checking to make sure the certificate hasn't been revoked.
@Manouchehri thanks for comprehensive explanation. I get it now and everything works just fine.
I've exposed https://rfc3161.ai.moda/servers.json for now, does that work or still not quite?