The Timestamping Authority (TSA) solution processes timestamp requests to provide proof that a digital document, message, or transaction:

• Existed at a specific point in time
• Has not been altered since that time

On a timestamping transaction:

• The client submits the hash of a document (never the document itself) in a timestamp request. 
• The Timestamping Authority returns a DER-encoded timestamp token (CMS SignedData) that binds that hash to a trusted time value.

See below for the Timestamping Authority key capabilities.

Multiple timestamp issuers

A single deployment can host several independent TSA identities, each with its own signing key, certificate chain, and policy OID.

HSM integration

Timestamp Authority supports both file-based (PEM) signing keys and Hardware Security Modules via PKCS#11

Configurable padding scheme

Timestamp Authority supports both RSA and RSA-PSS signature padding schemes.

Configurable hash algorithms

Timestamp Authority supports the following hash algorithms.

• SHA-1 (supported for legacy compatibility)
• SHA-224
• SHA-256
• SHA-384
• SHA-512

Reliable time source

Timestamp Authority integrates with a clock-status service that monitors NTP synchronization. 

When the clock error exceeds the configured threshold, the TSA returns a timeNotAvailable response. The TSA continues to return this response until the clock is resynchronized, after which it resumes normal timestamp responses.

Standard compliance

Timestamping Authority is compliant with the following standards.