Lines Matching +full:timestamp +full:- +full:names
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-TS 1ossl"
134 .TH OPENSSL-TS 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-ts \- Time Stamping Authority command
144 \&\fB\-help\fR
147 \&\fB\-query\fR
148 [\fB\-config\fR \fIconfigfile\fR]
149 [\fB\-data\fR \fIfile_to_hash\fR]
150 [\fB\-digest\fR \fIdigest_bytes\fR]
151 [\fB\-\f(BIdigest\fB\fR]
152 [\fB\-tspolicy\fR \fIobject_id\fR]
153 [\fB\-no_nonce\fR]
154 [\fB\-cert\fR]
155 [\fB\-in\fR \fIrequest.tsq\fR]
156 [\fB\-out\fR \fIrequest.tsq\fR]
157 [\fB\-text\fR]
158 [\fB\-rand\fR \fIfiles\fR]
159 [\fB\-writerand\fR \fIfile\fR]
160 [\fB\-provider\fR \fIname\fR]
161 [\fB\-provider\-path\fR \fIpath\fR]
162 [\fB\-propquery\fR \fIpropq\fR]
165 \&\fB\-reply\fR
166 [\fB\-config\fR \fIconfigfile\fR]
167 [\fB\-section\fR \fItsa_section\fR]
168 [\fB\-queryfile\fR \fIrequest.tsq\fR]
169 [\fB\-passin\fR \fIpassword_src\fR]
170 [\fB\-signer\fR \fItsa_cert.pem\fR]
171 [\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
172 [\fB\-\f(BIdigest\fB\fR]
173 [\fB\-chain\fR \fIcerts_file.pem\fR]
174 [\fB\-tspolicy\fR \fIobject_id\fR]
175 [\fB\-in\fR \fIresponse.tsr\fR]
176 [\fB\-token_in\fR]
177 [\fB\-out\fR \fIresponse.tsr\fR]
178 [\fB\-token_out\fR]
179 [\fB\-text\fR]
180 [\fB\-engine\fR \fIid\fR]
181 [\fB\-provider\fR \fIname\fR]
182 [\fB\-provider\-path\fR \fIpath\fR]
183 [\fB\-propquery\fR \fIpropq\fR]
186 \&\fB\-verify\fR
187 [\fB\-data\fR \fIfile_to_hash\fR]
188 [\fB\-digest\fR \fIdigest_bytes\fR]
189 [\fB\-queryfile\fR \fIrequest.tsq\fR]
190 [\fB\-in\fR \fIresponse.tsr\fR]
191 [\fB\-token_in\fR]
192 [\fB\-untrusted\fR \fIfiles\fR|\fIuris\fR]
193 [\fB\-CAfile\fR \fIfile\fR]
194 [\fB\-CApath\fR \fIdir\fR]
195 [\fB\-CAstore\fR \fIuri\fR]
196 [\fB\-allow_proxy_certs\fR]
197 [\fB\-attime\fR \fItimestamp\fR]
198 [\fB\-no_check_time\fR]
199 [\fB\-check_ss_sig\fR]
200 [\fB\-crl_check\fR]
201 [\fB\-crl_check_all\fR]
202 [\fB\-explicit_policy\fR]
203 [\fB\-extended_crl\fR]
204 [\fB\-ignore_critical\fR]
205 [\fB\-inhibit_any\fR]
206 [\fB\-inhibit_map\fR]
207 [\fB\-partial_chain\fR]
208 [\fB\-policy\fR \fIarg\fR]
209 [\fB\-policy_check\fR]
210 [\fB\-policy_print\fR]
211 [\fB\-purpose\fR \fIpurpose\fR]
212 [\fB\-suiteB_128\fR]
213 [\fB\-suiteB_128_only\fR]
214 [\fB\-suiteB_192\fR]
215 [\fB\-trusted_first\fR]
216 [\fB\-no_alt_chains\fR]
217 [\fB\-use_deltas\fR]
218 [\fB\-auth_level\fR \fInum\fR]
219 [\fB\-verify_depth\fR \fInum\fR]
220 [\fB\-verify_email\fR \fIemail\fR]
221 [\fB\-verify_hostname\fR \fIhostname\fR]
222 [\fB\-verify_ip\fR \fIip\fR]
223 [\fB\-verify_name\fR \fIname\fR]
224 [\fB\-x509_strict\fR]
225 [\fB\-issuer_checks\fR]
226 [\fB\-provider\fR \fIname\fR]
227 [\fB\-provider\-path\fR \fIpath\fR]
228 [\fB\-propquery\fR \fIpropq\fR]
231 This command is a basic Time Stamping Authority (\s-1TSA\s0) client and
232 server application as specified in \s-1RFC 3161\s0 (Time-Stamp Protocol, \s-1TSP\s0). A
233 \&\s-1TSA\s0 can be part of a \s-1PKI\s0 deployment and its role is to provide long
237 The \s-1TSA\s0 client computes a one-way hash value for a data file and sends
238 the hash to the \s-1TSA.\s0
240 The \s-1TSA\s0 attaches the current date and time to the received hash value,
241 signs them and sends the timestamp token back to the client. By
242 creating this token the \s-1TSA\s0 certifies the existence of the original
245 The \s-1TSA\s0 client receives the timestamp token and verifies the
247 value that it had sent to the \s-1TSA.\s0
249 There is one \s-1DER\s0 encoded protocol data unit defined for transporting a
250 timestamp request to the \s-1TSA\s0 and one for sending the timestamp response
252 creating a timestamp request based on a data file,
253 creating a timestamp response based on a request, verifying if a
257 over \s-1HTTP\s0 or \s-1TCP\s0 yet as suggested in \s-1RFC 3161.\s0 The users must send the
258 requests either by ftp or e\-mail.
261 .IP "\fB\-help\fR" 4
262 .IX Item "-help"
264 .IP "\fB\-query\fR" 4
265 .IX Item "-query"
266 Generate a \s-1TS\s0 query. For details see \*(L"Timestamp Request generation\*(R".
267 .IP "\fB\-reply\fR" 4
268 .IX Item "-reply"
269 Generate a \s-1TS\s0 reply. For details see \*(L"Timestamp Response generation\*(R".
270 .IP "\fB\-verify\fR" 4
271 .IX Item "-verify"
272 Verify a \s-1TS\s0 response. For details see \*(L"Timestamp Response verification\*(R".
273 .SS "Timestamp Request generation"
274 .IX Subsection "Timestamp Request generation"
275 The \fB\-query\fR command can be used for creating and printing a timestamp
277 .IP "\fB\-config\fR \fIconfigfile\fR" 4
278 .IX Item "-config configfile"
281 see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
282 .IP "\fB\-data\fR \fIfile_to_hash\fR" 4
283 .IX Item "-data file_to_hash"
284 The data file for which the timestamp request needs to be
285 created. stdin is the default if neither the \fB\-data\fR nor the \fB\-digest\fR
287 .IP "\fB\-digest\fR \fIdigest_bytes\fR" 4
288 .IX Item "-digest digest_bytes"
294 .IP "\fB\-\f(BIdigest\fB\fR" 4
295 .IX Item "-digest"
297 Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used.
298 The default is \s-1SHA\-256.\s0 (Optional)
299 .IP "\fB\-tspolicy\fR \fIobject_id\fR" 4
300 .IX Item "-tspolicy object_id"
301 The policy that the client expects the \s-1TSA\s0 to use for creating the
302 timestamp token. Either the dotted \s-1OID\s0 notation or \s-1OID\s0 names defined
303 in the config file can be used. If no policy is requested the \s-1TSA\s0 will
305 .IP "\fB\-no_nonce\fR" 4
306 .IX Item "-no_nonce"
308 given. Otherwise a 64 bit long pseudo-random none is
310 protect against replay-attacks. (Optional)
311 .IP "\fB\-cert\fR" 4
312 .IX Item "-cert"
313 The \s-1TSA\s0 is expected to include its signing certificate in the
315 .IP "\fB\-in\fR \fIrequest.tsq\fR" 4
316 .IX Item "-in request.tsq"
317 This option specifies a previously created timestamp request in \s-1DER\s0
319 to examine the content of a request in human-readable
321 .IP "\fB\-out\fR \fIrequest.tsq\fR" 4
322 .IX Item "-out request.tsq"
325 .IP "\fB\-text\fR" 4
326 .IX Item "-text"
327 If this option is specified the output is human-readable text format
328 instead of \s-1DER.\s0 (Optional)
329 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
330 .IX Item "-rand files, -writerand file"
332 .SS "Timestamp Response generation"
333 .IX Subsection "Timestamp Response generation"
334 A timestamp response (TimeStampResp) consists of a response status
335 and the timestamp token itself (ContentInfo), if the token generation was
336 successful. The \fB\-reply\fR command is for creating a timestamp
337 response or timestamp token based on a request and printing the
338 response/token in human-readable format. If \fB\-token_out\fR is not
339 specified the output is always a timestamp response (TimeStampResp),
340 otherwise it is a timestamp token (ContentInfo).
341 .IP "\fB\-config\fR \fIconfigfile\fR" 4
342 .IX Item "-config configfile"
345 see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
346 See \*(L"\s-1CONFIGURATION FILE OPTIONS\*(R"\s0 for configurable variables.
347 .IP "\fB\-section\fR \fItsa_section\fR" 4
348 .IX Item "-section tsa_section"
350 response generation. If not specified the default \s-1TSA\s0 section is
351 used, see \*(L"\s-1CONFIGURATION FILE OPTIONS\*(R"\s0 for details. (Optional)
352 .IP "\fB\-queryfile\fR \fIrequest.tsq\fR" 4
353 .IX Item "-queryfile request.tsq"
354 The name of the file containing a \s-1DER\s0 encoded timestamp request. (Optional)
355 .IP "\fB\-passin\fR \fIpassword_src\fR" 4
356 .IX Item "-passin password_src"
357 Specifies the password source for the private key of the \s-1TSA.\s0 See
359 .IP "\fB\-signer\fR \fItsa_cert.pem\fR" 4
360 .IX Item "-signer tsa_cert.pem"
361 The signer certificate of the \s-1TSA\s0 in \s-1PEM\s0 format. The \s-1TSA\s0 signing
366 .IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
367 .IX Item "-inkey filename|uri"
368 The signer private key of the \s-1TSA\s0 in \s-1PEM\s0 format. Overrides the
370 .IP "\fB\-\f(BIdigest\fB\fR" 4
371 .IX Item "-digest"
374 .IP "\fB\-chain\fR \fIcerts_file.pem\fR" 4
375 .IX Item "-chain certs_file.pem"
376 The collection of certificates in \s-1PEM\s0 format that will all
378 the \fB\-cert\fR option was used for the request. This file is supposed to
380 issuer upwards. The \fB\-reply\fR command does not build a certificate
382 .IP "\fB\-tspolicy\fR \fIobject_id\fR" 4
383 .IX Item "-tspolicy object_id"
385 explicitly requires a particular \s-1TSA\s0 policy. The \s-1OID\s0 can be specified
388 .IP "\fB\-in\fR \fIresponse.tsr\fR" 4
389 .IX Item "-in response.tsr"
390 Specifies a previously created timestamp response or timestamp token
391 (if \fB\-token_in\fR is also specified) in \s-1DER\s0 format that will be written
394 token or you want to extract the timestamp token from a response. If
395 the input is a token and the output is a timestamp response a default
397 .IP "\fB\-token_in\fR" 4
398 .IX Item "-token_in"
399 This flag can be used together with the \fB\-in\fR option and indicates
400 that the input is a \s-1DER\s0 encoded timestamp token (ContentInfo) instead
401 of a timestamp response (TimeStampResp). (Optional)
402 .IP "\fB\-out\fR \fIresponse.tsr\fR" 4
403 .IX Item "-out response.tsr"
405 file depends on other options (see \fB\-text\fR, \fB\-token_out\fR). The default is
407 .IP "\fB\-token_out\fR" 4
408 .IX Item "-token_out"
409 The output is a timestamp token (ContentInfo) instead of timestamp
411 .IP "\fB\-text\fR" 4
412 .IX Item "-text"
413 If this option is specified the output is human-readable text format
414 instead of \s-1DER.\s0 (Optional)
415 .IP "\fB\-engine\fR \fIid\fR" 4
416 .IX Item "-engine id"
419 .IP "\fB\-provider\fR \fIname\fR" 4
420 .IX Item "-provider name"
422 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
423 .IX Item "-provider-path path"
424 .IP "\fB\-propquery\fR \fIpropq\fR" 4
425 .IX Item "-propquery propq"
428 .SS "Timestamp Response verification"
429 .IX Subsection "Timestamp Response verification"
430 The \fB\-verify\fR command is for verifying if a timestamp response or
431 timestamp token is valid and matches a particular timestamp request or
432 data file. The \fB\-verify\fR command does not use the configuration file.
433 .IP "\fB\-data\fR \fIfile_to_hash\fR" 4
434 .IX Item "-data file_to_hash"
437 The \fB\-digest\fR and \fB\-queryfile\fR options must not be specified with this one.
439 .IP "\fB\-digest\fR \fIdigest_bytes\fR" 4
440 .IX Item "-digest digest_bytes"
443 specified in the token. The \fB\-data\fR and \fB\-queryfile\fR options must not be
445 .IP "\fB\-queryfile\fR \fIrequest.tsq\fR" 4
446 .IX Item "-queryfile request.tsq"
447 The original timestamp request in \s-1DER\s0 format. The \fB\-data\fR and \fB\-digest\fR
449 .IP "\fB\-in\fR \fIresponse.tsr\fR" 4
450 .IX Item "-in response.tsr"
451 The timestamp response that needs to be verified in \s-1DER\s0 format. (Mandatory)
452 .IP "\fB\-token_in\fR" 4
453 .IX Item "-token_in"
454 This flag can be used together with the \fB\-in\fR option and indicates
455 that the input is a \s-1DER\s0 encoded timestamp token (ContentInfo) instead
456 of a timestamp response (TimeStampResp). (Optional)
457 .IP "\fB\-untrusted\fR \fIfiles\fR|\fIuris\fR" 4
458 .IX Item "-untrusted files|uris"
460 needed when building the certificate chain for the \s-1TSA\s0's signing certificate.
461 These do not need to contain the \s-1TSA\s0 signing certificate and intermediate \s-1CA\s0
467 .IP "\fB\-CAfile\fR \fIfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-CAstore\fR \fIuri\fR" 4
468 .IX Item "-CAfile file, -CApath dir, -CAstore uri"
469 See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
470 At least one of \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-CAstore\fR must be specified.
471 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
472 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
474 See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
479 The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file.
482 \&\fB\-query\fR command uses only the symbolic \s-1OID\s0 names section
483 and it can work without it. However, the \fB\-reply\fR command needs the
491 that contains all the options for the \fB\-reply\fR command. This default
492 section can be overridden with the \fB\-section\fR command line switch. (Optional)
495 This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
504 and long names are the same when this option is used. (Optional)
505 .IP "\fB\s-1RANDFILE\s0\fR" 4
508 and at exit 256 bytes will be written to it. (Note: Using a \s-1RANDFILE\s0 is
509 not necessary anymore, see the \*(L"\s-1HISTORY\*(R"\s0 section.
513 last timestamp response created. This number is incremented by 1 for
519 all available algorithms. The default value is built-in, you can specify
520 any other engines supported by OpenSSL (e.g. use chil for the NCipher \s-1HSM\s0).
524 \&\s-1TSA\s0 signing certificate in \s-1PEM\s0 format. The same as the \fB\-signer\fR
528 A file containing a set of \s-1PEM\s0 encoded certificates that need to be
529 included in the response. The same as the \fB\-chain\fR command line
533 The private key of the \s-1TSA\s0 in \s-1PEM\s0 format. The same as the \fB\-inkey\fR
538 \&\fB\-\f(BIdigest\fB\fR command line option. (Mandatory unless specified on the command
543 policy. The same as the \fB\-tspolicy\fR command line option. (Optional)
546 Comma separated list of policies that are also acceptable by the \s-1TSA\s0
550 The list of message digest algorithms that the \s-1TSA\s0 accepts. At least
554 The accuracy of the time source of the \s-1TSA\s0 in seconds, milliseconds
562 or no fraction of seconds at all. Supported only on \s-1UNIX\s0 platforms.
567 If this option is yes the responses generated by this \s-1TSA\s0 can always
572 Set this option to yes if the subject name of the \s-1TSA\s0 must be included in
573 the \s-1TSA\s0 name field of the response. Default is no. (Optional)
576 The SignedData objects created by the \s-1TSA\s0 always contain the
578 attribute (see \s-1RFC 2634,\s0 Enhanced Security Services).
581 If this variable is set to yes and the \fBcerts\fR variable or the \fB\-chain\fR option
583 be included, where the \fB\-chain\fR option overrides the \fBcerts\fR variable.
587 This option specifies the hash function to be used to calculate the \s-1TSA\s0's
591 All the examples below presume that \fB\s-1OPENSSL_CONF\s0\fR is set to a proper
594 .SS "Timestamp Request"
595 .IX Subsection "Timestamp Request"
596 To create a timestamp request for \fIdesign1.txt\fR with \s-1SHA\-256\s0 digest,
601 \& openssl ts \-query \-data design1.txt \-no_nonce \e
602 \& \-out design1.tsq
605 To create a similar timestamp request with specifying the message imprint
609 \& openssl ts \-query \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
610 \& \-no_nonce \-out design1.tsq
616 \& openssl ts \-query \-in design1.tsq \-text
619 To create a timestamp request which includes the \s-1SHA\-512\s0 digest
622 \&\s-1OID\s0 section of the config file):
625 \& openssl ts \-query \-data design2.txt \-sha512 \e
626 \& \-tspolicy tsa_policy1 \-cert \-out design2.tsq
628 .SS "Timestamp Response"
629 .IX Subsection "Timestamp Response"
631 the \s-1TSA\s0 that contains the \fBtimeStamping\fR critical extended key usage extension
639 See \fBopenssl\-req\fR\|(1), \fBopenssl\-ca\fR\|(1), and \fBopenssl\-x509\fR\|(1) for
641 certificate of the \s-1CA,\s0 \fItsacert.pem\fR is the signing certificate issued
642 by \fIcacert.pem\fR and \fItsakey.pem\fR is the private key of the \s-1TSA.\s0
644 To create a timestamp response for a request:
647 \& openssl ts \-reply \-queryfile design1.tsq \-inkey tsakey.pem \e
648 \& \-signer tsacert.pem \-out design1.tsr
654 \& openssl ts \-reply \-queryfile design1.tsq \-out design1.tsr
657 To print a timestamp reply to stdout in human readable format:
660 \& openssl ts \-reply \-in design1.tsr \-text
663 To create a timestamp token instead of timestamp response:
666 \& openssl ts \-reply \-queryfile design1.tsq \-out design1_token.der \-token_out
669 To print a timestamp token to stdout in human readable format:
672 \& openssl ts \-reply \-in design1_token.der \-token_in \-text \-token_out
675 To extract the timestamp token from a response:
678 \& openssl ts \-reply \-in design1.tsr \-out design1_token.der \-token_out
681 To add 'granted' status info to a timestamp token thereby creating a
685 \& openssl ts \-reply \-in design1_token.der \-token_in \-out design1.tsr
687 .SS "Timestamp Verification"
688 .IX Subsection "Timestamp Verification"
689 To verify a timestamp reply against a request:
692 \& openssl ts \-verify \-queryfile design1.tsq \-in design1.tsr \e
693 \& \-CAfile cacert.pem \-untrusted tsacert.pem
696 To verify a timestamp reply that includes the certificate chain:
699 \& openssl ts \-verify \-queryfile design2.tsq \-in design2.tsr \e
700 \& \-CAfile cacert.pem
703 To verify a timestamp token against the original data file:
704 openssl ts \-verify \-data design2.txt \-in design2.tsr \e
705 \-CAfile cacert.pem
707 To verify a timestamp token against a message imprint:
708 openssl ts \-verify \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
709 \-in design2.tsr \-CAfile cacert.pem
715 No support for timestamps over \s-1SMTP,\s0 though it is quite easy
716 to implement an automatic e\-mail based \s-1TSA\s0 with \fBprocmail\fR\|(1)
717 and \fBperl\fR\|(1). \s-1HTTP\s0 server support is provided in the form of
718 a separate apache module. \s-1HTTP\s0 client support is provided by
719 \&\fBtsget\fR\|(1). Pure \s-1TCP/IP\s0 protocol is not supported.
721 The file containing the last serial number of the \s-1TSA\s0 is not
723 instance of \fBopenssl\fR\|(1) is trying to create a timestamp
727 Look for the \s-1FIXME\s0 word in the source files.
735 OpenSSL 1.1.1 introduced a new random generator (\s-1CSPRNG\s0) with an improved
737 define a \s-1RANDFILE\s0 for saving and restoring randomness. This option is
740 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
745 \&\fBopenssl\-req\fR\|(1),
746 \&\fBopenssl\-x509\fR\|(1),
747 \&\fBopenssl\-ca\fR\|(1),
748 \&\fBopenssl\-genrsa\fR\|(1),
750 \&\fBossl_store\-file\fR\|(7)
753 Copyright 2006\-2023 The OpenSSL Project Authors. All Rights Reserved.
757 in the file \s-1LICENSE\s0 in the source distribution or at