Repository of Timestamp Public Key Certificates



Here is other Repository information.

Current Timestamp public keys 

  ECC-NIST ECC-Brainpool RSA  
DigiStamp Root CA Certificate certificate certificate certificate  
Certificate's SHA-1


Robots - Audit Certificates
certificate certificate certificate  
TSA 2 ( starts on 2017-11-07 )
certificate certificate certificate  
TSA 1 ( starts on 2017-11-21)
certificate certificate certificate  
Root CA and all Audit
bundled in PEM bundled in PEM bundled in PEM bundle all
TSA 11 - Legacy server
TSA 12 - Legacy server ( Also TSA2 until 2017-11-07 )


Curent Timestamp certificates
these are changed about every 6 mos.
TSA 1 . Timestamp Common
certificate certificate certificate  
TSA 2 . Timestamp Common
certificate certificate
TSA 1 . Timestamp Long
certificate certificate certificate  
TSA 2 . Timestamp Long
TSA 11 . Timestamp Common
TSA 12 . Timestamp Common

The prior / older Public Key certificates are here.

What are Certificates?

The public keys are provided for independent verification of the timestamps created by the DigiStamp timestamp servers. Each public key is provided as a standard x.509 certificate. The public keys are used to verify the digital signature contained in a timestamp. These certificates are commonly contained within each timestamp and they are also provided here for convenience.


Click here for additional information about what you need to verify a timestamp. 

DigiStamp Root CA Certificate

The root certificate can be downloaded and added to your software. For example, Adobe Acrobat signing tools.

Timestamp key life cycle 

The timestamp key-pairs are replaced frequently within the certified hardware device. The frequency is one year or after one million timestamps are created with the key-pair. Each event of "rekeying of the TSA key" results in the cryptographic module creating and signing a new x.509 public key certificate. The previous timestamp private key is destroyed at the time of rekeying. The timestamps created with that private key are authenticated using the x.509 public key certificate. More details are here where we describe that the timestamp private key cannot be extracted from the certified hardware device.

Names and addresses of the Timestamp Servers

The time stamp servers are available to generate production time stamps:

Best choice, find a location for me: at IP address

Specific servers:

"TSA1" - at IP address

"TSA2" - at IP address  (2017.11.07 will be at IP address:

Legacy Servers available until December 2017

"TSA11" - at IP address

"TSA12" - at IP address

The above servers use HTTP authentication using your DigiStamp account credentials. Use of SSL (https:) is optional.

If you using IP-Based Authentication (instead of HTTP authentication) then the names above are changed like this:

"TSA"  becomes:  "ipauth/tsa"