⏱ Time Stamping Authority — RFC 3161
Meerkat Testing TSA
A fully RFC 3161-compliant Time Stamping Authority for testing.
Submit a DER-encoded TimeStampReq and receive a cryptographically valid
TimeStampResp signed by the Meerkat TSA signing certificate.
Supports SHA-256, SHA-384, and SHA-512 message imprints.
Want to timestamp a file or text?
Use Meerkat TimeStampIt — upload or paste content, get a signed
.tsr token, and inspect it inline.
This page documents the raw HTTP API.
🕰️ Open TimeStampIt →
Testing only — do not use in production documents.
The Meerkat TSA is not a qualified or accredited TSA. Timestamps issued here carry no legal
weight and must not be embedded in documents, code signatures, or archives intended for
production use. The TSA signing certificate is issued under a private, untrusted CA hierarchy.
TSA Identity
| Endpoint URL | https://thameur.org/tsa |
| Signing Certificate | /C=TN/O=Meerkat MPCA by Thameur Belghith/CN=TSA |
| Valid From | 2026-05-16 |
| Valid Until | 2029-05-15 |
| Policy OID | 2.16.788.1.99.1.40 |
| Hash Algorithms | SHA-256 · SHA-384 · SHA-512 |
| TSA CA Certificate | https://pki.thameur.org/mpca/tsa_ca.crt |
| Chain (CA + Root) | http://pki.thameur.org/mpca/tsa_chain.pem |
API Endpoint
| Method | URL | Description |
|---|---|---|
| POST | https://thameur.org/tsa | Submit a DER-encoded TimeStampReq. Returns a DER-encoded TimeStampResp. Primary endpoint. |
| GET | https://thameur.org/tsa | Redirects to this documentation page. |
Request
| Header / Body | Value | Notes |
|---|---|---|
| Content-Type | required | Must be application/timestamp-query |
| Body | required | DER-encoded TimeStampReq (RFC 3161 §2.4.1). Maximum size: 64 KB. |
Success Response (HTTP 200)
| Header / Body | Value |
|---|---|
| Content-Type | application/timestamp-reply |
| Body | DER-encoded TimeStampResp (RFC 3161 §2.4.2). Contains PKIStatusInfo (granted) + TimeStampToken (CMS SignedData). |
TimeStampReq Structure (RFC 3161 §2.4.1)
| ASN.1 Field | Presence | Description |
|---|---|---|
| version | required | Must be v1 (1). |
| messageImprint.hashAlgorithm | required | OID of the digest algorithm. Accepted: SHA-256 (2.16.840.1.101.3.4.2.1), SHA-384, SHA-512. |
| messageImprint.hashedMessage | required | Raw digest bytes of the data being timestamped. |
| reqPolicy | optional | OID of the requested policy. If supplied, must be 2.16.788.1.99.1.40. |
| nonce | optional | Random integer for replay protection. Included verbatim in the response. |
| certReq | optional | If TRUE, the TSA signing certificate is embedded in the response token. |
TimeStampResp Structure (RFC 3161 §2.4.2)
| ASN.1 Field | Description |
|---|---|
| status.status | granted (0) on success. rejection (2) on failure — check statusString for the reason. |
| timeStampToken | CMS SignedData containing a TSTInfo (RFC 3161 §2.4.2). Present only when status is granted. |
| TSTInfo.version | v1 (1) |
| TSTInfo.policy | 2.16.788.1.99.1.40 |
| TSTInfo.messageImprint | Echo of the request's messageImprint. |
| TSTInfo.serialNumber | Monotonically incrementing integer per token. |
| TSTInfo.genTime | UTC time the token was generated (GeneralizedTime). |
| TSTInfo.nonce | Echo of the request nonce, if present. |
| SignerInfo.signatureAlgorithm | ECDSA with SHA-256 (P-256 key). |
Integration Guide
If you just want to timestamp a file without writing any code, use 🕰️ Meerkat TimeStampIt — it handles the TSQ/TSR flow for you and lets you download the token directly. The steps below are for integrating the TSA endpoint into your own tooling or pipeline.
Step 1 — Create a timestamp request with openssl
# Hash your file and create a TimeStampReq (nonce + certReq included)
openssl ts -query -data myfile.pdf -sha256 -no_nonce -cert -out request.tsq
# Or with a nonce for replay protection (recommended)
openssl ts -query -data myfile.pdf -sha256 -cert -out request.tsq
# Inspect the request
openssl ts -query -in request.tsq -text
Step 2 — Send the request to the TSA
curl -s -X POST https://thameur.org/tsa \
-H 'Content-Type: application/timestamp-query' \
--data-binary @request.tsq \
-o response.tsr
# Inspect the raw response
openssl ts -reply -in response.tsr -text
Step 3 — Verify the timestamp token
# Download the TSA chain (TSA CA + Meerkat Root CA)
curl -s -o tsa_chain.pem http://pki.thameur.org/mpca/tsa_chain.pem
# Verify the token against the original file
openssl ts -verify -in response.tsr -data myfile.pdf -CAfile tsa_chain.pem
# Or using the query file if you kept it
openssl ts -verify -in response.tsr -queryfile request.tsq -CAfile tsa_chain.pem
One-liner (request + timestamp in a single command)
openssl ts -query -data myfile.pdf -sha256 -cert \
| curl -s -X POST https://thameur.org/tsa \
-H 'Content-Type: application/timestamp-query' \
--data-binary @- \
-o response.tsr \
&& openssl ts -reply -in response.tsr -text
Python (using the requests library)
import subprocess, requests
# Create the TimeStampReq
tsq = subprocess.check_output(['openssl', 'ts', '-query', '-data', 'myfile.pdf', '-sha256', '-cert'])
# Send to TSA
resp = requests.post(
'https://thameur.org/tsa',
data=tsq,
headers={'Content-Type': 'application/timestamp-query'},
)
resp.raise_for_status()
with open('response.tsr', 'wb') as f:
f.write(resp.content)
Java (Apache HttpClient)
HttpPost post = new HttpPost("https://thameur.org/tsa");
post.setHeader("Content-Type", "application/timestamp-query");
post.setEntity(new ByteArrayEntity(tsqDerBytes));
CloseableHttpResponse response = httpClient.execute(post);
// response body is the DER-encoded TimeStampResp
byte[] tsr = EntityUtils.toByteArray(response.getEntity());
Error Responses
Errors return plain text with the matching HTTP status code.
| HTTP | Cause |
|---|---|
| 400 | Empty request body — no DER data received. |
| 405 | Wrong HTTP method (only GET and POST are accepted). |
| 415 | Wrong Content-Type — must be application/timestamp-query. |
| 500 | OpenSSL ts -reply failed — malformed TSQ, unsupported hash algorithm, or internal error. The error message contains the OpenSSL stderr output. |
| 503 | TSA not initialized — the signing certificate or config file is missing. Run scripts/mpca_init.sh. |
Technical Notes
- Implementation: The TSA backend calls
openssl ts -replywith a dedicated signing key and certificate. No external network access is required per request. - Policy OID
2.16.788.1.99.1.40: A private OID registered under the Meerkat test PKI namespace (2.16.788.1.99). It has no meaning outside of this testing environment. - Signing key: ECDSA P-256. The signing certificate is issued by the Meerkat MPCA TSA CA (P-384), which chains to the Meerkat MPCA Root CA. None of these CAs are trusted by any public root store.
- Serial numbers: Incrementing integer stored in
tsaserialon the server. Resets if the TSA is re-initialized. - Nonce: If the request includes a nonce, it is echoed verbatim in the
TSTInfo. Use a nonce to prevent replay attacks when the timestamp is used in a protocol. - certReq: When set to
TRUEin the request, the TSA signing certificate is included in theSignedData.certificatesfield of the response token, enabling offline verification without fetching the certificate separately. - Accepted digest algorithms: SHA-256 (
2.16.840.1.101.3.4.2.1), SHA-384 (2.16.840.1.101.3.4.2.2), SHA-512 (2.16.840.1.101.3.4.2.3). MD5 and SHA-1 are rejected. - RFC 3161 §2.1 compliance: The TSA sets
tsa_name = yes, so thetsafield inTSTInfoidentifies the TSA by its distinguished name. - CORS: The endpoint responds with
Access-Control-Allow-Origin: *to allow browser-based testing tools to call it directly.