Skip to main content
Version: Version 1.7

Use a time-stamp authority

A time-stamp authority (TSA) provides trusted, cryptographically secure time-stamp information. This time-stamp information can be used to apply a digital time-stamp to a document, which verifies that the document existed at a point in time, and that the content of the document has not been changed.

The TSA must support the time-stamp protocol as defined in the IETF RFC 3161.

The GlobalSign and Swisscom cryptographic providers have their own TSA with which the user can generate trusted time-stamp information. The Built-in and PKCS#11 cryptographic providers require a third-party TSA to be configured.

To configure the TSA, you must pass the URI of the TSA to the cryptographic provider and call the CreateTimestamp method.

Time-stamp authority URI

When applying a digital time-stamp to a document, the time-stamp authority (TSA) URI must be passed to the cryptographic provider in the TimestampUrl property.

The TimestampUrl property value must be a URI with the following elements:



  • http/https: Protocol for connecting to the TSA.
  • ‹user›:‹password› (optional): Credentials for connecting to the TSA (basic authorization).
  • ‹host›: Hostname of the TSA.
  • ‹port›: Port for connecting to the TSA.
  • ‹resource›: The resource.

HTTPS connections

When connecting to the time-stamp authority using HTTPS (SSL/TLS) communication, the server certificate's trustworthiness is verified using the system's default trust store (CA certificate store). For information about configuring the trust store, see Configure HTTPS connections.

Proxy server

In a secured environment, the firewall must be configured to allow a connection to the time-stamp authority. If a proxy server is used, the following MIME types must be supported:

  • application/timestamp-query
  • application/timestamp-reply