TSAmpa: Trusted Timestamping


Trusted timestamping is the process of securely keeping track of the creation and modification times of a document. Security here means that no one – not even the owner of the document – should be able to change it once it has been recorded provided that the timestamper’s integrity is never compromised. (Wikipedia: The Free Encyclopedia, s.v. “Trusted Timestamping”)

TSAmpa is a customer-hosted (on-premise or cloud) timestamping authority that provides RFC 3161 or Microsoft Authenticode timestamps to time-sensitive transactions. TSAmpa is well suited to organizations running systems that operate offline yet still need timestamping services.

Offline Code Signing
Fully compliant with IETF Standards, Dhuma can be provisioned with CRLs

TSAmpa allows an organization to apply timestamps when digitally signing applications on offline or disconnected networks. By operating TSAmpa on the same network, organizations can digitally sign and timestamp applications without exposing signature keys to the Internet and the malware designed to steal or misuse code signing credentials.

Digitally Signing Applications
Sign and timestamp code using Microsoft’s SignTool, Jarsigner, and other code signing tools

Digitally Signing Documents
Sign and timestamp documents using Adobe Acrobat, Microsoft Office, and other applications

Timestamping Financial Transactions
Sign and timestamp transactions so that recipients know, for sure, that the information is unchanged


  • Produces unlimited timestamps and is licensed per-user, not per-timestamp produced
  • Provides long-term signature verification capabilities
  • May be easily deployed and managed
  • Appropriate for organizations of any size, scaling up to millions of users
  • Uses NIST CMVP-validated FIPS 140-2 cryptography and proven security standards, including ANSI X.509 and IETF-PKIX, OCSP, TLS, and S/MIME

Technical Specifications

  • Complies with NIST FIPS 140-2 Level 1 requirements (when used with ISC’s software cryptographic module); a higher level of assurance can be obtained by employing a third party HSM
  • Supports both Microsoft Authenticode and RFC 3161 protocols
  • Syncs time using NTP or HSM with hardware clock
  • Generates up to 8192-bit RSA and up to 571-bit ECDSA self-signed certificates and PKCS#10 requests
  • Supports SHA-256,
  • SHA-384, and SHA-512
  • Maintains audit trails of all actions

System Requirements

  • Windows Server 2012 R2 or above
  • Windows 7, 8, 8.1, 10, or above
  • CentOS 6.7 (Linux Kernel 2.6) or above (x64)
  • 4GB RAM, 50GB Disk, CPU w/RDRAND instruction
  • Java Runtime Environment 1.8 or higher
  • PostgreSQL, HyperSQL, or Oracle database