Service live — Nürnberg, Germany

Digital trust is a
public good.
Not a privilege.

Open TSA provides free, open-source RFC 3161 timestamp infrastructure for Europe — so that any developer, researcher, NGO, or startup can build on a solid trust foundation without cost or lock-in.

Get started → ♥ Support this project
bash — timestamp your document
# Request a timestamp $ openssl ts -query -data document.pdf \ -cert -sha256 -no_nonce -out req.tsq $ curl -s -S \ -H "Content-Type: application/timestamp-query" \ --data-binary @req.tsq \ https://tsr.open-tsa.eu -o resp.tsr # Verify $ openssl ts -verify \ -in resp.tsr -queryfile req.tsq \ -CAfile ca.crt -untrusted fullchain.pem Verification: OK
RFC 3161Standard compliant
0 €Cost to you
🇩🇪 DEServer location
MITOpen source license
Our mission

Why this exists

A trusted timestamp is not an end product — it is infrastructure. Every system building document signing, code signing, audit trails, or identity verification needs a TSA as a foundational component.

Today, that component is either expensive (commercial TSAs cost €200–1,000+/year) or unreliable (the dominant free service is operated by a single private individual with no open-source code and no redundancy).

"Digital freedom requires open infrastructure. Cryptographic trust should not be a privilege of those who can afford it."

Open TSA fills this gap. We lower the barrier to entry for an entire class of European security projects to zero.

CA Hierarchy

Built for the long term

open-ca.eu Root CA (2026–2051 · 25 years · OFFLINE) └── open-tsa.eu TSA Root CA (2026–2041 · 15 years · OFFLINE) └── TSA Intermediate CA (2026–2036 · 10 years) └── TSA Signing Cert (2026–2028 · 2 years)

Root keys are kept offline. All source code is published under MIT license. View on GitHub →

Protocol

How RFC 3161 timestamping works

Your document never leaves your system. Only a cryptographic hash is sent to our server — we never see your content.

Step 01

Hash your document

A SHA-256 (or SHA-384/512) hash of your document is computed locally. The document itself is never transmitted.

Step 02

Request a timestamp

The hash is sent as an RFC 3161 TimeStampRequest to tsr.open-tsa.eu. Our server signs it with the current time and returns a TimeStampResponse.

Step 03

Verify anytime

The response proves that your document existed in its exact form at that specific moment in time. Verification works offline, forever.

Developer docs

Get started in 60 seconds

bash
# Step 1: Download CA certificates (once) curl -s https://open-tsa.eu/certs/ca.crt -o ca.crt curl -s https://open-tsa.eu/certs/fullchain.pem -o fullchain.pem # Step 2: Timestamp your document openssl ts -query -data document.pdf -cert -sha256 -no_nonce -out req.tsq curl -s -S -H "Content-Type: application/timestamp-query" \ --data-binary @req.tsq https://tsr.open-tsa.eu -o resp.tsr # Step 3: Verify openssl ts -verify -in resp.tsr -queryfile req.tsq \ -CAfile ca.crt -untrusted fullchain.pem Verification: OK
Node.js
const fs = require('fs'); const { execFile } = require('child_process'); const { promisify } = require('util'); const execAsync = promisify(execFile); async function timestamp(filePath) { const tsq = `/tmp/ts-${Date.now()}.tsq`; await execAsync('openssl', ['ts', '-query', '-data', filePath, '-cert', '-sha256', '-no_nonce', '-out', tsq]); const response = await fetch('https://tsr.open-tsa.eu', { method: 'POST', headers: { 'Content-Type': 'application/timestamp-query' }, body: fs.readFileSync(tsq), }); if (!response.ok) throw new Error(`TSA ${response.status}`); return Buffer.from(await response.arrayBuffer()); // .tsr }
Python
import subprocess, requests, tempfile, os def timestamp(file_path: str) -> bytes: with tempfile.NamedTemporaryFile(suffix='.tsq', delete=False) as f: tsq = f.name try: subprocess.run(['openssl', 'ts', '-query', '-data', file_path, '-cert', '-sha256', '-no_nonce', '-out', tsq], check=True, capture_output=True) with open(tsq, 'rb') as f: data = f.read() r = requests.post('https://tsr.open-tsa.eu', data=data, headers={'Content-Type': 'application/timestamp-query'}, timeout=15) r.raise_for_status() return r.content finally: os.unlink(tsq)
.env
# Drop-in replacement for any RFC 3161 TSA TSA_URL=https://tsr.open-tsa.eu TSA_CA_URL=https://open-tsa.eu/certs/ca.crt TSA_FULLCHAIN_URL=https://open-tsa.eu/certs/fullchain.pem # API info curl https://open-tsa.eu/info

Full documentation → open-tsa.eu/docs/

Trust

CA Certificates

Download the CA certificates once to verify timestamps offline. Supplied explicitly — our root CA is not yet in public trust stores.

🔐
open-ca.eu Root CA Valid 2026–2051 · 25 years
↓ ca.crt 🔑
open-tsa.eu TSA Root CA Valid 2026–2041 · 15 years
↓ tsa-root.crt 📜
TSA Intermediate CA Valid 2026–2036 · 10 years
↓ intermediate.crt ⛓️
Full Certificate Chain All CAs in one file
↓ fullchain.pem
What's next

Roadmap

Phase 1 — Now

Free public TSA

RFC 3161 compliant endpoint live in Germany. 4-tier CA hierarchy. Open-source code on GitHub.

● Live
Phase 2 — 2027

Multi-region + Sub-CA

Redundant nodes in Helsinki + Falkenstein. GeoDNS failover. Sub-CA under HARICA for automatic trust in all major browsers.

Planned
Phase 3 — 2028+

Open CA family

Expand open-ca.eu to cover document signing and TLS. Apply for Mozilla root program inclusion.

Roadmap
Latest

News & Updates

Uncategorized

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!

Read more →

All posts →