If any of the service modules use a time stamp authority (e.g. Signing Service for time stamping of signatures, or the Verification Service for time stamping of response messages), then the details of one or more TSA servers needs to be configured within Global Settings. Clicking on the Timestamping will show the following screen:



The table of Timestamping authorities can be sorted in either Ascending or Descending order by selecting a table column from the drop down list. The list can be sorted by "Server Address", "Policy ID", "Include Nonce", "Timeout", "Require Certificate", "Created At" or "Status". 


To add or edit a TSA, click on '+' button and the following screen is shown:




For TLS Authentication




For Basic Authentication



The fields are as follows:


Items

Description

Status

Timestamp authorities can either be marked active or inactive.  Inactive timestamp authorities are not used to generate timestamp tokens.

TSA Server Address

Add the TSA Server address.

Policy ID

Optionally configure the TSA Policy OID that will be referenced in the request message to the TSA Service. Timestamping Authority will produce the timestamp token against the referenced policy.

Timeout

The timeout defines the period that ADSS Server should wait for a response from the TSA before closing the request.

Include nonce

Defines whether to add a unique (random) number in the request message, ADSS Server will then check that the response from TSA also includes this number.

Require TSA Certificates

When this checkbox is enabled, the TSA will include its certificate in Timestamp response. 

Note: It is recommended to enable this checkbox.

Perform revocation status checking for TSA certificates

When enabled, ADSS Server will perform revocation checking for the external Time Stamp Authority's certificate before accepting the response from that TSA.

TSA requires authentication

Check this option If TSA Server requires authentication, it defines the following:

If communication fails with a TSA Server then Error Code 401 is returned in the logs which means that the resource requires authentication which has not yet been provided OR which has been provided but failed the authentication checks.

Use TLS client Authentication

If this option is enabled then ADSS Server will communicate with Timestamping authority using TLS Client Authentication. Select the TLS Client Certificate which pre-exists in the Key Manager


Note: It is required to register the Issuer CA of the TLS Client certificate in Trust Manager with the purpose CA for verifying TLS client certificates purpose. 

Use Basic Authentication (User ID and Password)

If this option is enabled then ADSS Server will communicate with Timestamping authority using user ID and Password based authentication. It defines the following:  

User ID

Provide the User ID used by ADSS Server to connect with this timestamping authority.

Password

Provide the corresponding password for the User ID to connect with this timestamping authority.

Authentication Scheme

Select the Authentication Scheme to be used for basic authentication:

  • Basic
  • Digest

Hashing Algorithm

Select the hash algorithm to be used to compute the message imprint for the timestamp request when a test connection is performed for this timestamp authority. The following hash algorithms are supported:

  • SHA1
  • SHA224
  • SHA256
  • SHA384
  • SHA512
  • SHA3-224
  • SHA3-256
  • SHA3-384
  • SHA3-512  
  • RipeMD128 
  • RipeMD160.

See also

Timestamping
Connectors
Real Time Revocation
Notification Settings

NTP Time Monitoring