to Homepage
You are located in service Public Key Certificates
General information
IT Center Help

You are located in service: Public Key Certificates

Timestamp service DFN-PKI
Print page

Timestamp service DFN-PKI

guide

This page explains how to configure the DFN-PKI timestamp.

The timestamp is used to certify the status quo of a file at a specific point in time by a trusted entity (e.g., DFN-PKI).

The DFN-PKI timestamp can be used for non-commercial purposes within the framework of the DFN statutes. A separate certificate is not required for this.

The timestamp server can be accessed via the following link (using the link in a browser is not possible!):

http://zeitstempel.dfn.de

The timestamp can be used in Adobe Acrobat, openssl (from version 1.0), or in components from Microsoft or Java. Additionally, the BouncyCastle libraries are available for Java and C#, and there is also BouncyCastlePP, a port of BouncyCastle for C++.

According to information from DFN, openssl (>= 1.1.xx) should work. To build openssl yourself, please proceed as follows:

cd ~
git clone https://github.com/openssl/openssl.git

cd openssl
./Configure linux-x86_64
./config --prefix=${HOME}/opt/openssl --openssldir=${HOME}/opt/openssl
make
make test

export OPENSSL=${HOME}/opt/openssl
export C_INCLUDE_PATH=$OPENSSL/include
export LIBRARY_PATH=$OPENSSL/lib
export LD_LIBRARY_PATH=$LIBRARY_PATH:$LD_LIBRARY_PATH
export OPENSSL_PREFIX=${OPENSSL}

echo ${OPENSSL}
echo ${C_INCLUDE_PATH}
echo ${LD_LIBRARY_PATH}
echo ${OPENSSL_PREFIX}

${HOME}/opt/openssl/bin/openssl
OpenSSL> version
OpenSSL 1.1.1-pre5-dev  xx XXX xxxx
OpenSSL>

[[ -f ${HOME}/opt/openssl/bin/openssl ]] && (export MYOPENSSL="${HOME}/opt/openssl/bin/openssl") || (export MYOPENSSL="openssl")

Generate an example code:

echo -e "#\!/usr/bin/env bash\n\n#© by ra@rwth-aachen.de\n\n echo 'hello dfn timestamp world'\n\n#########\n# EOF" > dfn-timestamp-test.sh

chmod 750 dfn-timestamp-test.sh

./dfn-timestamp-test.sh
hello dfn timestamp world

 Generate a "timestamp request":

${MYOPENSSL} ts -query -data dfn-timestamp-test.sh -cert -sha256 -no_nonce -out dfn-timestamp-test.tsq

Submit "timestamp request" to the timestamp server:

curl -s -S -k -H "Content-Type: application/timestamp-query" --data-binary @dfn-timestamp-test.tsq "http://zeitstempel.dfn.de" -o dfn-timestamp-test.tsr

Verify the timestamp:

wget https://pki.pca.dfn.de/dfn-ca-global-g2/pub/cacert/chain.txt

${MYOPENSSL} ts -verify -in dfn-timestamp-test.tsr -data dfn-timestamp-test.sh -CAfile chain.txt

${MYOPENSSL} ts -verify -queryfile dfn-timestamp-test.tsq -in dfn-timestamp-test.tsr -CAfile chain.txt

In case of an OpenSSL error"... time stamp routines: TS_CHECK_SIGNING_CERTS ..."

wget https://info.pca.dfn.de/doc/timestampverifier-latest.tar.gz
tar zxvf timestampverifier-latest.tar.gz
cd timestampverifier-1.1
sed -i 's/request=req.tsq/request=$1/' verify.sh
sed -i 's/java -cp/echo -e "\\n#############################################\\n\\n"\njava -cp/' verify.sh
./verify.sh ../dfn-timestamp-test.tsq

Here, you should see "Data in response matches data in request.":

${MYOPENSSL} ts -reply -in resp.tsr -text

Verify the "timestamp response":

openssl ts -reply -in dfn-timestamp-test.tsr -text

Status info:
Status: Granted.
Status description: Operation Okay
Failure info: unspecified
TST info:
Version: 1
Policy OID: 1.3.6.1.4.1.22177.300.22.1
Hash Algorithm: sha256
Message data:
    0000 - 79 ae 3e 21 6f 52 92 ea-f0 00 78 73 fe 95 06 2b   y.>!oR....xs...+
    0010 - ce 0c 26 29 89 8f e2 62-dd 9c 06 a5 3a 1f b9 dc   ..&)...b....:...
Serial number: 0x840AA89C8C03C5373E2680B1A2F61CBE132EBBF1
Time stamp: Nov 30 08:50:24 2016 GMT
Accuracy: unspecified
Ordering: no
Nonce: unspecified
TSA: unspecified
Extensions:

Additional information:

last changed on 02/06/2026

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License
Chat