I have questions about three of these parameters. First, the accuracy setting. I know that the ACCURACY can be only whole numbers and only one present but it doesn't seem to change the time accuracy of produced time stamp. I noticed up to 4 bytes of size difference of the TS response but the time displayed is still the same (full seconds and nothing smaller or bigger) no matter how I look or set the parameter(s).
Second, the TSA parameter. What can I put in there for it to work? According to the description, it should contain full name of TSA but even one simple english word does not work. As a work-around I use the TSA_FROM_CERT but I am curious how to set it up.
Third, and last, in the beginning you claim that the TimeStampSigner supports option to include certificate chain (without CRLs). What is the name of the parameter for that? I read the description of all of them and none seems to help with that. REQUIREVALIDCHAIN doesn't change anything at all for me either.
Thanks in advance for any help on this matter.
Last edit: Petr Vsetecka 2017-10-16
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
1) Accuracy:
This is a way to "represents the time deviation around the UTC" that the TSA is guaranteeing. See RFC#3161 page 9 for more description.
2) TSA:
"MUST correspond to one of the subject names included in the certificate that is to be used to verify the token.".
So unless you use from TSA_FROM_CERT which handles this for you, you need to check in the certificate what subject DN you have. Something like "CN=Time-stamp Signer 1,O=My organization,C=SE"
3) The client includes a flag in the request (certReq) if it wants the certificates to be included with the response. If it does that then the certificates from the certificate chain property is used.
and as always, thank you for good answers. All is clear, I didn't read the RFC properly (shame on me).
However, now that I am a little bit smarter, I would like to ask about "precision" of the GeneralizedTime included within timestamp. Can that be configured or does SignServer follow the recommendation of using whole seconds to the T?
Best regards,
Petr
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi all,
I am using the latest binary release and got the default set-up working (using your example keystores and everything now). I also found this page to help with this problem and that is what I will address.
https://www.signserver.org/doc/current/manual/plugins.html#Time-stamp_Signer
I have questions about three of these parameters. First, the accuracy setting. I know that the ACCURACY can be only whole numbers and only one present but it doesn't seem to change the time accuracy of produced time stamp. I noticed up to 4 bytes of size difference of the TS response but the time displayed is still the same (full seconds and nothing smaller or bigger) no matter how I look or set the parameter(s).
Second, the TSA parameter. What can I put in there for it to work? According to the description, it should contain full name of TSA but even one simple english word does not work. As a work-around I use the TSA_FROM_CERT but I am curious how to set it up.
Third, and last, in the beginning you claim that the TimeStampSigner supports option to include certificate chain (without CRLs). What is the name of the parameter for that? I read the description of all of them and none seems to help with that. REQUIREVALIDCHAIN doesn't change anything at all for me either.
Thanks in advance for any help on this matter.
Last edit: Petr Vsetecka 2017-10-16
Hi Petr,
1) Accuracy:
This is a way to "represents the time deviation around the UTC" that the TSA is guaranteeing. See RFC#3161 page 9 for more description.
2) TSA:
"MUST correspond to one of the subject names included in the certificate that is to be used to verify the token.".
So unless you use from TSA_FROM_CERT which handles this for you, you need to check in the certificate what subject DN you have. Something like "CN=Time-stamp Signer 1,O=My organization,C=SE"
3) The client includes a flag in the request (certReq) if it wants the certificates to be included with the response. If it does that then the certificates from the certificate chain property is used.
Cheers,
Markus
PrimeKey Solutions
Save time and money with an Enterprise support subscription. Please see www.primekey.com for more information.
https://www.primekey.com/products/software/
Hi Markus,
and as always, thank you for good answers. All is clear, I didn't read the RFC properly (shame on me).
However, now that I am a little bit smarter, I would like to ask about "precision" of the GeneralizedTime included within timestamp. Can that be configured or does SignServer follow the recommendation of using whole seconds to the T?
Best regards,
Petr