CNX Time Stamping Authority

RFC 3161 compliant timestamping. Every response embeds the full signing chain.

Endpoints

DomainUse
https://free.tsa.cnx.net.khOpen use — no logging
https://<subscriber>.tsa.cnx.net.khSubscriber — sealed audit log, contact noc@cnx.net.kh

Create a timestamp

Add this function to any shell script. Call stamp <file> after producing the file you want to timestamp. The token is written to <file>.tsr.

stamp() {
  openssl ts -query -data "$1" -sha256 -cert | \
    curl -sf -X POST -H "Content-Type: application/timestamp-query" \
      --data-binary @- https://free.tsa.cnx.net.kh -o "${1}.tsr"
}

stamp report.pdf

Verify a timestamp

Every token embeds the full signing chain (signer → TSA intermediate → root CA). Extract the root CA from the token and verify its SPKI against the DNSSEC-signed DNS record.

# Extract the root CA from the token
openssl ts -reply -in response.tsr -token_out | \
  openssl pkcs7 -inform DER -print_certs | \
  awk '/-----BEGIN/{c++} c==3' > token-root-ca.pem

# Compute its SPKI fingerprint
openssl x509 -in token-root-ca.pem -pubkey -noout | \
  openssl pkey -pubin -outform DER | \
  openssl dgst -sha256

Compare against the authoritative SPKI in DNS (signed by DNSSEC):

dig +dnssec TXT ca.cnx.net.kh

Expected root CA SPKI (sha256):

9b9bf33f16e83c4302712dd1661da46bbe037c4df705176a1232f90efed87ca1

Once the root CA is verified, verify the timestamp chain:

openssl ts -verify \
  -in response.tsr \
  -queryfile request.tsq \
  -untrusted <(openssl ts -reply -in response.tsr -token_out | openssl pkcs7 -inform DER -print_certs) \
  -CAfile token-root-ca.pem

Trust anchor

FieldValue
Root CA subjectCN=CNX Internal CA, O=Cambodia Network Exchange, C=KH
Root CA SPKI sha2569b9bf33f16e83c4302712dd1661da46bbe037c4df705176a1232f90efed87ca1
DNS recorddig TXT _ca.cnx.net.kh
DNSSECsigned — validate with +dnssec
TSA intermediate subject/C=KH/O=Cambodia Network Exchange/CN=CNX TSA Intermediate CA

DNS TXT record (ca.cnx.net.kh)

_ca.cnx.net.kh. 3600 IN TXT "v=spki1 sha256=9b9bf33f16e83c4302712dd1661da46bbe037c4df705176a1232f90efed87ca1"

This record will be added to the cnx.net.kh zone when DNS migrates to git.