CA Hierarchy
Open TSA uses a 4-tier certificate hierarchy designed for long-term operation and future expansion to additional trust services.
Hierarchy
open-ca.eu Root CA
Subject: C=DE, O=open-ca.eu, CN=open-ca.eu Root CA
Valid: 2026-04-04 → 2051-03-29 (25 years)
Key: RSA 4096, SHA-256
Status: OFFLINE (root keys not on server)
└── open-tsa.eu TSA Root CA Subject: C=DE, O=open-tsa.eu, CN=open-tsa.eu TSA Root CA Valid: 2026-04-04 → 2041-03-31 (15 years) Status: OFFLINE (root keys not on server)
└── open-tsa.eu TSA Intermediate CA Valid: 2026-04-04 → 2036-04-01 (10 years) Status: Online (server)
└── open-tsa.eu TSA Signing Certificate Valid: 2026-04-04 → 2028-04-03 (2 years) EKU: id-kp-timeStamping (critical) Status: Active (signs all TSRs)
└── open-tsa.eu TSA Root CA Subject: C=DE, O=open-tsa.eu, CN=open-tsa.eu TSA Root CA Valid: 2026-04-04 → 2041-03-31 (15 years) Status: OFFLINE (root keys not on server)
└── open-tsa.eu TSA Intermediate CA Valid: 2026-04-04 → 2036-04-01 (10 years) Status: Online (server)
└── open-tsa.eu TSA Signing Certificate Valid: 2026-04-04 → 2028-04-03 (2 years) EKU: id-kp-timeStamping (critical) Status: Active (signs all TSRs)
Design rationale
- open-ca.eu Root CA — the long-lived trust anchor. Keys kept completely offline. Will serve as the root for future Open CA family services (SIGN, TLS).
- open-tsa.eu TSA Root CA — product-specific root. Isolates the TSA service from other future services. If the TSA service is ever compromised, only this branch is affected.
- Intermediate CA — operational CA on the server. Separates the Root from day-to-day signing operations.
- Signing Certificate — 2-year rotation cycle. Renewed without touching the Root or Intermediate keys.
Policy OID
Open TSA uses OID 1.3.6.1.4.1.59085.1.1 as the default timestamping policy. This OID is registered under the Open TSA private enterprise arc.