Breadcrumbs

Set up Composite Time-stamping

You can set up time-stamping using a composite key, and verify the time-stamping performed by a composite key.

For information about composite certificates, see SignServer Composite Certificates.

Prerequisites

  • Access to Admin Web

  • SignServer instance running

  • Access to a CA supporting composite certificates (such as EJBCA)

Step 1 - Set up a Keystore or P11NG Crypto Token

Use a Keystore Crypto Worker or P11NG Crypto Worker to generate composite keys.

Using an existing Crypto Worker?

If a Crypto Worker, such as CryptoTokenP12 or CryptoTokenP11NG1, is already operational, you can use it instead, and proceed to Step 2 - Generate a Composite Key. When generating a composite key, the option to select Composite as the Key Algorithm should be available and usable without any additional configurations to the Crypto Worker.

To create the worker:

  1. Navigate to the Workers page in the Admin Web.

  2. Click Add.

  3. In Add Worker/Load Configuration, select From Template.

  4. Select one of the following:

    • keystore-crypto.properties

    • p11ng-crypto.properties

  5. Click Next and Apply.

The new Crypto Worker should now be listed in the Workers page.

Step 2 - Generate a Composite Key

To create composite keys in the Crypto Worker:

  1. Navigate to the Workers page in the Admin Web.

  2. Select the Crypto Worker, and go to the Crypto Token tab.

  3. Click Generate Key.

  4. Enter the suffix -COMPOSITE under New Key Alias, for example: MyKey-COMPOSITE

  5. Under Key Algorithm, select Composite.

  6. Under Key Specification, select MLDSA87-RSA3072-PSS-SHA512.

  7. Click Generate.

Ensure that 3 key objects were added to the list in the Crypto Token tab:

  • MyKey-COMPOSITE

  • MyKey-COMPQ (quantum-safe algorithm part of the composite)

  • MyKey-COMPC (classical algorithm part of the composite)

Troubleshooting an OFFLINE Crypto Token

The following error can appear when setting the default key:

Can’t set test-composite as default key 01:02:26,079 ERROR [org.signserver.server.cryptotokens.Ke

To solve the error, delete DEFAULTKEY properties entirely. The Crypto Token will now be ACTIVE.

Step 3 - Set up Timestamp Signer

To set up the Timestamp Signer:

Using an existing Timestamp Signer?

If a Time is already operational, you can use it instead of creating a new one. If this is the case, update the DEFAULTKEY of that worker and proceed to Step 4 - Generate a CSR.

  1. From the Workers page, click Add.

  2. In Add Worker/Load Configuration, select From Template.

  3. Select timestamp.properties from the drop down.

  4. Press Next and Apply.

The Timestamp Signer should now be listed in the Workers page.

  1. Navigate to the Timestamp Signer and click the Configure tab.

  2. Click Edit.

  3. Change the value of the Default key to MyKey-COMPOSITE.

Step 4 - Generate a Certificate Signing Request (CSR)

To generate a CSR for the composite key:

  1. Navigate to the Workers page in the Admin Web.

  2. Select the Crypto Worker to be used, such as CryptoTokenP12 or CryptoTokenP11NG1.

  3. In the worker view, click Generate CSR.

  4. Enter the key alias under Key.

  5. Select MLDSA87-RSA3072-PSS-SHA512 from the drop down under Signature Algorithm.

Selecting the Signature Algorithm

Ensure that the selected Signature Algorithm matches the Key Specification when the composite key was generated. This example uses MLDSA87-RSA3072-PSS-SHA512 as an example. For troubleshooting purposes, it is recommend to use the same Key Specification and Signature Algorithm when trying composite time-stamping for the first time.

  1. Enter a common name under DN, such as CN=MyOrg.

  2. Click Generate.

  3. Click the Download button under the Result label to download the .p10 CSR file.

Step 5 - Get a Composite Certificate

This step is completed by using a trusted certificate authority.

Bring your generated CSR to a CA supporting the issuance of Composite Certificates for time-stamping, for instance one running EJBCA. See Issue Composite Certificates in the EJBCA documentation.

The composite certificate that is downloaded will be used for time-stamping.

Step 6 - Install the Composite Certificate

To install the composite certificate on the signer:

  1. From the Workers page, select the Timestamp Signer.

  2. Click Install Certificates.

  3. The Worker and composite key should appear under Worker and Key.

  4. Under Upload, click Browse.

  5. Select the composite certificate you created with the CA.

  6. Click Add and Install.

  7. Ensure that the Timestamp Signer status is ACTIVE after installing the certificate.

Step 7 - Test Composite Time-stamping using SignClient

To use the composite key for time-stamping, open your SignServer instance:

  1. Navigate to SignClient.

  2. Execute the following command:

./signclient timestamp -url http://<your-domain>:8080/signserver/tsa?workerName=TimeStampSigner

  1. The following log should be visible from the console where signclient is being executed:

2025-11-26T14:28:14,545 INFO  [TimeStampCommand] Got reply after 75 ms
2025-11-26T14:28:14,570 INFO  [TimeStampCommand] TimeStampRequest validated with status code: 0 (Operation Okay)

The console log of the running application server should include details about the time-stamping requests, where an encoded timestamp request and an encoded TSA timestamp response should be visible.

  1. Create a test file by running the following command:

echo "Something to time-stamp" > test.txt

  1. Time-stamp the file by running the following command:

./bin/signclient timestamp -url http://localhost:8080/signserver/tsa?workerName=TimeStampSigner -infile test.txt -outrep test-composite.tsr -certreq

Step 8 - Verify the Time-stamping

With a timestamped file, the timestamp response or certificate chain of trust can be verified by SignClient.

Verifying Timestamp Response

Run the following command to verify:

./signclient timestamp -verify -inrep test-composite.tsr -signerfile composite-cert-name-from-download.crt

The -signerfile flag should point to the composite certificate that was installed in the Timestamp Signer in order for the timestamp to be verifiable.

A successful timestamp verification should produce the following log in the console:

INFO  [TimeStampCommand] Token was validated successfully. 
INFO  [TimeStampCommand] Token was generated on: Sat Nov 29 09:16:10 UTC 2025 
INFO  [TimeStampCommand] MessageDigest=<some message digest> 
INFO  [TimeStampCommand] Processing took 82 ms

Verifying Certificate Chain

Run the following command to verify:

./bin/signclient timestamp -verify -inrep test-composite.tsr -cafile my-trusted-cert.pem

The -cafile flag should point to a file containing one or multiple PEM-encoded certificates that will be used as trustanchors for certificate chain validation. This flag also performs timestamp token validation.

A successful certificate chain validation and timestamp token validation will be seen in the console output.