Certificates
Open TSA uses a 4-tier CA hierarchy. Download the certificates once and store them alongside your archived timestamps.
Download URLs
| Certificate | URL | Valid until |
|---|---|---|
| open-ca.eu Root CA | certs/ca.crt | 2051 |
| open-tsa.eu TSA Root CA | certs/tsa-root.crt | 2041 |
| TSA Intermediate CA | certs/intermediate.crt | 2036 |
| TSA Signing Certificate | certs/tsa.crt | 2028 |
| Full Chain (all 3 CAs) | certs/fullchain.pem | — |
CA hierarchy
open-ca.eu Root CA
(2026–2051 · 25 years · self-signed · OFFLINE)
└── open-tsa.eu TSA Root CA
(2026–2041 · 15 years · OFFLINE)
└── open-tsa.eu TSA Intermediate CA
(2026–2036 · 10 years)
└── open-tsa.eu TSA Signing Certificate
(2026–2028 · 2 years · EKU: timeStamping)
Which files do I need?
| Use case | Files needed |
|---|---|
| Verify a timestamp (openssl) | ca.crt + fullchain.pem |
| Long-term archival | All 4 certificates |
| Self-hosted verification tool | fullchain.pem |
Note: The
open-ca.eu Root CA is not in any public trust store. You must supply it explicitly with -CAfile ca.crt when running openssl ts -verify.
Inspect a certificate
curl -s https://open-tsa.eu/certs/ca.crt | openssl x509 -noout -text