Service live — Nürnberg, Germany

Digital trust is a
public good.
Not a privilege.

Open TSA provides free, open-source RFC 3161 timestamp infrastructure for Europe — so that any developer, researcher, NGO, or startup can build on a solid trust foundation without cost or lock-in.

Get started → ♥ Support this project
bash — timestamp your document
# Request a timestamp $ openssl ts -query -data document.pdf \ -cert -sha256 -no_nonce -out req.tsq $ curl -s -S \ -H "Content-Type: application/timestamp-query" \ --data-binary @req.tsq \ https://tsr.open-tsa.eu -o resp.tsr # Verify $ openssl ts -verify \ -in resp.tsr -queryfile req.tsq \ -CAfile ca.crt -untrusted fullchain.pem Verification: OK
389 Timestamps issued
Apr 2026 Live since
🇩🇪 DE Server location
MIT Open source license
Our mission

Why this exists

A trusted timestamp is not an end product — it is infrastructure. Every system building document signing, code signing, audit trails, or identity verification needs a TSA as a foundational component.

Today, that component is either expensive (commercial TSAs cost €200–1,000+/year) or unreliable (the dominant free service is operated by a single private individual with no open-source code and no redundancy).

"Digital freedom requires open infrastructure. Cryptographic trust should not be a privilege of those who can afford it."

Open TSA fills this gap. We lower the barrier to entry for an entire class of European security projects to zero.

CA Hierarchy

Built for the long term

open-ca.eu Root CA (2026–2051 · 25 years · OFFLINE) └── open-tsa.eu TSA Root CA (2026–2041 · 15 years · OFFLINE) └── TSA Intermediate CA (2026–2036 · 10 years) └── TSA Signing Cert (2026–2028 · 2 years)

Root keys are kept offline. All source code is published under MIT license. View on GitHub →

Protocol

How RFC 3161 timestamping works

Your document never leaves your system. Only a cryptographic hash is sent to our server — we never see your content.

Step 01

Hash your document

A SHA-256 (or SHA-384/512) hash of your document is computed locally. The document itself is never transmitted.

Step 02

Request a timestamp

The hash is sent as an RFC 3161 TimeStampRequest to tsr.open-tsa.eu. Our server signs it with the current time and returns a TimeStampResponse.

Step 03

Verify anytime

The response proves that your document existed in its exact form at that specific moment in time. Verification works offline, forever.

Developer docs

Get started in 60 seconds

bash 
# Step 1: Download CA certificates (once)
curl -s https://open-tsa.eu/certs/ca.crt -o ca.crt
curl -s https://open-tsa.eu/certs/fullchain.pem -o fullchain.pem

# Step 2: Timestamp your document
openssl ts -query -data document.pdf -cert -sha256 -no_nonce -out req.tsq
curl -s -S -H "Content-Type: application/timestamp-query" \
  --data-binary @req.tsq https://tsr.open-tsa.eu -o resp.tsr

# Step 3: Verify
openssl ts -verify -in resp.tsr -queryfile req.tsq \
  -CAfile ca.crt -untrusted fullchain.pem
Node.js 
const fs = require('fs');
const { execFile } = require('child_process');
const { promisify } = require('util');

const execAsync = promisify(execFile);

async function timestamp(filePath) {
  const tsq = `/tmp/ts-${Date.now()}.tsq`;

  await execAsync('openssl', [
    'ts', '-query', '-data', filePath,
    '-cert', '-sha256', '-no_nonce', '-out', tsq
  ]);

  const response = await fetch('https://tsr.open-tsa.eu', {
    method: 'POST',
    headers: { 'Content-Type': 'application/timestamp-query' },
    body: fs.readFileSync(tsq),
  });

  if (!response.ok) {
    throw new Error(`TSA ${response.status}`);
  }

  return Buffer.from(await response.arrayBuffer());
}
Python 
import os
import requests
import subprocess
import tempfile

def timestamp(file_path: str) -> bytes:
    with tempfile.NamedTemporaryFile(suffix=".tsq", delete=False) as f:
        tsq = f.name

    try:
        subprocess.run([
            "openssl", "ts", "-query", "-data", file_path,
            "-cert", "-sha256", "-no_nonce", "-out", tsq
        ], check=True, capture_output=True)

        with open(tsq, "rb") as f:
            data = f.read()

        r = requests.post(
            "https://tsr.open-tsa.eu",
            data=data,
            headers={"Content-Type": "application/timestamp-query"},
            timeout=15
        )
        r.raise_for_status()
        return r.content
    finally:
        os.unlink(tsq)
.env 
# Drop-in replacement for any RFC 3161 TSA
TSA_URL=https://tsr.open-tsa.eu
TSA_CA_URL=https://open-tsa.eu/certs/ca.crt
TSA_FULLCHAIN_URL=https://open-tsa.eu/certs/fullchain.pem

# API info
OPEN_TSA_INFO_URL=https://open-tsa.eu/info

Full documentation → open-tsa.eu/docs/

Just need the time? Use GET https://open-tsa.eu/now — returns JSON with ISO-8601, Unix epoch, and RFC 2822 format. Built for AI agents and distributed systems. No auth, CORS-enabled. For cryptographic proof, use POST https://tsr.open-tsa.eu (RFC 3161).
Trust

CA Certificates

Download the CA certificates once to verify timestamps offline. Supplied explicitly — our root CA is not yet in public trust stores.

🔐
open-ca.eu Root CA Valid 2026–2051 · 25 years
↓ ca.crt 🔑
open-tsa.eu TSA Root CA Valid 2026–2041 · 15 years
↓ tsa-root.crt 📜
TSA Intermediate CA Valid 2026–2036 · 10 years
↓ intermediate.crt ⛓️
Full Certificate Chain All CAs in one file
↓ fullchain.pem
What's next

Roadmap

Phase 1 — Now

Free public TSA

RFC 3161 compliant endpoint live in Germany. 4-tier CA hierarchy. Open-source code on GitHub.

● Live
Phase 2 — 2027

Multi-region + Sub-CA

Redundant nodes in Helsinki + Falkenstein. GeoDNS failover. Sub-CA under HARICA for automatic trust in all major browsers.

Planned
Phase 3 — 2028+

Open CA family

Expand open-ca.eu to cover document signing and TLS. Apply for Mozilla root program inclusion.

Roadmap