# Qualified Timestamps (QTSA)

# Introduction

Signicat offers Qualified Timestamping Authority (QTSA) services which can be used for issuing a qualified timestamp and binding that timestamp to a data object.

The most common use cases are the timestamping of signed documents and the timestamping of documents that are stored in an archive.

# Key security features

Qualified Timestamping Authority services can only be operated by a Qualified Trust Service Provider (QTSP) (opens new window) and require annual audits by internationally accredited third-party auditors. This ensures that qualified timestamps are non-repudiable.

Qualified timestamps do not contain sensitive data and are therefore not subject to the General Data Protection Regulation (GDPR) (opens new window).

A timestamping service does not require any electronic identity (eID) and does not hold any GDPR-related data.

The object to be timestamped does not leave your infrastructure. You only pass a SHA256 hash of the data object to be timestamped to the timestamping authority (TSA), not the data object itself.

# Process overview

# Generating a timestamp

To generate a timestamp using Signicat's Qualified Timestamping Authority services, follow these steps:

  1. Have your data object ready. This can be a file of any type, such as a PDF or an image file.
  2. Generate a cryptographic hash of the file or text you want to timestamp. The hashing algorithm will need to be SHA256.
  3. Send this hash to the TSA, which retrieves the correct time from trusted time sources and builds a Signed Data Object (SDO) in the form of a .tsr file.
  4. The timestamp has been generated. The SDO can be kept inside the document (this is the case for electronic signatures), but it can also be kept as a separate object.

The following diagram illustrates the generation of a timestamp: Timestamp generation click-to-zoom

# Validating a timestamp

To validate a timestamp, follow these steps:

  1. Have your original data object ready.
  2. Take another SHA256 hash of the data object. In our example, this is done by openssl verify.
  3. Provide the timestamp object (SDO) and the public key certificate of the QTSA for verification. The .pem file that contains the certificate to be used is available for download in the Validating a timestamp (example) section on this page.
  4. If the document has not been modified, you will receive a positive validation response. Note that the validation does not use the timestamping engine. You can use a service such as openssl verify.

The following diagram illustrates the validation of a timestamp: Timestamp validation click-to-zoom

# Accessing Signicat's QTSA service

To get started with Signicat's QTSA service, contact us at support@signicat.com.

Once you have signed a contract with Signicat and have provided the necessary information, you will be able to access the TSA service at https://tsa.signicat.com/tsaproxy/.

Access to the service works in accordance with the Internet X.509 Public Key Infrastructure Time-Stamp Protocol (RFC3161) (opens new window), which is the common way of accessing any TSA service. Most programming languages have support for RFC3161 through open source libraries.


The interface is the same for both TSA and QTSA. It is common to use a free TSA for testing and then move to the QTSA in production.

# Examples of timestamp generation and validation

To run these examples, you will need to have OpenSSL (opens new window) and cURL (opens new window) installed on you computer.

# Generating a timestamp (example)

  1. Generate a timestamp query file (.tsq) that includes a hash of the data to be timestamped. The example below uses OpenSSL for this operation.
  2. Send the query file to the TSA.
  3. The TSA produces a signed timestamp response file (.tsr). Most commonly, this file will be about 1 kB in size and it will be signed and secured in such a way that it cannot be modified.
#Generate request file based on Example.xlsx
echo "Generating .tsq file (query file with hash)"
openssl ts -query -data anyfile -cert -sha256 -no_nonce -out Exampleqtsa.tsq
echo ""
echo "Generating Timestamp into Eaxmpleqtsa.tsr file"
curl -v -s -S -H 'Content-Type: application/timestamp-query' --data-binary @Exampleqtsa.tsq 'https://tsa.signicat.com/tsaproxy/' -o Exampleqtsa.tsr

# Validating a timestamp (example)

Validation of a timestamp requires:

  • The timestamp object (.tsr file)
  • The public key certificate, contained in a .pem file. The public key certificate for Signicat's QTSA is available through the EU Trust Services Dashboard (opens new window). You can find the .pem file that contains the certificate here:

The example below uses OpenSSL to verify the public key certificate.

#Generate request file based on Example.xlsx

echo ""
echo "Validate"
openssl ts -verify -data anyfile -in Exampleqtsa.tsr -CAfile signicat_public_key_certificate.pem
echo ""
echo "Dump of timestamp data"
openssl ts -reply -in Exampleqtsa.tsr -text
Last updated: 20/12/2023 09:45 UTC