RFC 3161 compliant timestamping. Every response embeds the full signing chain.
| Domain | Use |
|---|---|
| https://free.tsa.cnx.net.kh | Open use — no logging |
| https://<subscriber>.tsa.cnx.net.kh | Subscriber — sealed audit log, contact noc@cnx.net.kh |
Add this function to any shell script. Call stamp <file> after producing the file you want to timestamp. The token is written to <file>.tsr.
stamp() {
openssl ts -query -data "$1" -sha256 -cert | \
curl -sf -X POST -H "Content-Type: application/timestamp-query" \
--data-binary @- https://free.tsa.cnx.net.kh -o "${1}.tsr"
}
stamp report.pdf
Every token embeds the full signing chain (signer → TSA intermediate → root CA). Extract the root CA from the token and verify its SPKI against the DNSSEC-signed DNS record.
# Extract the root CA from the token
openssl ts -reply -in response.tsr -token_out | \
openssl pkcs7 -inform DER -print_certs | \
awk '/-----BEGIN/{c++} c==3' > token-root-ca.pem
# Compute its SPKI fingerprint
openssl x509 -in token-root-ca.pem -pubkey -noout | \
openssl pkey -pubin -outform DER | \
openssl dgst -sha256
Compare against the authoritative SPKI in DNS (signed by DNSSEC):
dig +dnssec TXT ca.cnx.net.kh
Expected root CA SPKI (sha256):
9b9bf33f16e83c4302712dd1661da46bbe037c4df705176a1232f90efed87ca1
Once the root CA is verified, verify the timestamp chain:
openssl ts -verify \ -in response.tsr \ -queryfile request.tsq \ -untrusted <(openssl ts -reply -in response.tsr -token_out | openssl pkcs7 -inform DER -print_certs) \ -CAfile token-root-ca.pem
| Field | Value |
|---|---|
| Root CA subject | CN=CNX Internal CA, O=Cambodia Network Exchange, C=KH |
| Root CA SPKI sha256 | 9b9bf33f16e83c4302712dd1661da46bbe037c4df705176a1232f90efed87ca1 |
| DNS record | dig TXT _ca.cnx.net.kh |
| DNSSEC | signed — validate with +dnssec |
| TSA intermediate subject | /C=KH/O=Cambodia Network Exchange/CN=CNX TSA Intermediate CA |
_ca.cnx.net.kh. 3600 IN TXT "v=spki1 sha256=9b9bf33f16e83c4302712dd1661da46bbe037c4df705176a1232f90efed87ca1"
This record will be added to the cnx.net.kh zone when DNS migrates to git.