Long-Term Validity

Updated: April 4, 2026 1 min read

Timestamps issued by Open TSA remain permanently verifiable — even after the signing certificate expires or the CA is rotated.

How long-term validity works

When you verify a timestamp, the check is:

“Was the TSA Signing Certificate valid at the moment the timestamp was issued?”

This is evaluated against the certificate’s notBefore and notAfter dates at the time of signing — not today’s date. So a timestamp issued in April 2026 will still verify correctly in 2030, 2040, or 2060.

What you need to keep

  • response.tsr — the timestamp token
  • request.tsq — the original timestamp query
  • ca.crt — the Root CA certificate at time of issuance
  • fullchain.pem — the intermediate chain at time of issuance
  • The original document
Archival best practice: Bundle all 5 items into a single ZIP or folder named after the document. Store it in your WORM archive. Never delete the CA certificates even after they expire.

CA rotation

If Open TSA ever rotates its CA (e.g. moves to a HARICA sub-CA), all previously issued timestamps remain valid using the old CA certificates. The old CA certificates will always remain publicly downloadable at https://open-tsa.eu/certs/archive/.