Setting Up Time Stamping
Time Stamping in emCA allows administrators to configure and manage a Time Stamping Authority (TSA) for providing trusted timestamp services. The setup involves creating key profiles, generating key pairs and CSRs, issuing TSA certificates, and registering clients. This section provides a step-by-step guide to complete the configuration and enable timestamping in emCA.
Manage Key Profile
To begin configuring Time Stamping, log in to the eMudhra TSA portal with your credentials.

Navigate to Manage Timestamping Signer → Manage Key Profile → New Profile.

Enter the following details:
Profile Name: Identifier for the key profile
Profile Type: Location where the key profile is generated
Configuration Type: Select the configuration type (e.g., PKCS11)
HSM Password: Provide the hardware security module password

Click Confirm to complete the key profile creation.

The new profile will be listed under Manage Key Profiles → View All.

Manage Key Pair
Next, generate a key pair using the key profile created in the previous step.

Go to Manage Timestamping Signer → Manage Key Pair → Generate Key Pair and provide:
Number of Keys
Key Profile (select the one you just created)
Signature Algorithm
Key Algorithm & Size

Click Generate Key Pair to create the key pair.
The generated key pair will appear under View All.

To generate a CSR (Certificate Signing Request), click on the Action icon of the created key pair. Enter the required Subject DN details:
Common Name
Organization
Organization Unit
Country

Click Save and Proceed, then Create to generate the CSR.
Download the CSR for signing by the CA.

TSA Certificate Profile Creation
Log in as an Administrator and navigate to Manage Profiles → Certificate Profiles → X.509.
Provide the following basic information:
Profile Type: User
Sub Type: New
Profile Name: Identifier for the TSA profile
Validity: Certificate validity period
Issuing CA: Select the appropriate issuing CA
Signature Algorithm: Select the preferred algorithm

Add the required Subject DN details:
Common Name
Country
Organization
Organization Unit

Configure X.509 Certificate Extensions, such as:
Basic Constraints
Key Usage
Enhanced Key Usage
Authority Key Identifier
Subject Key Identifier
Authority Information Access
CRL Distribution Points
Certificate Policy

Click Proceed and authenticate to complete the creation.


The profile will be available under View All.

Sign CSR – TSA Certificate
Log in as an Officer and navigate to Manage User Certificate → Sign CSR.
Upload the CSR generated earlier
Select the TSA Certificate Profile created by the Administrator
Choose the Certifying Authority (Root CA or relevant issuer)
Click Proceed to view CSR details, then authenticate as an Officer.
Once authenticated, click Sign CSR to generate the signed certificate.
The signed certificate will be ready for download.

Signed Certificate

Manage TSA Certificate
Log in as TSA Admin and navigate to Manage Timestamping Signer → Manage TSA Certificates.

Click Import Issuer Certificate and upload the Root/Issuer CA certificate. A success message will confirm the import.

Click the Import action for the TSA Auth Certificate and upload the signed TSA certificate. A success response will be displayed upon successful import.



The signed TSA certificate will now be visible under the TSA Certificates list.

Client Registration – TSA Services
To register clients for TSA services, log in as TSA Admin.
Go to Client Registration → New Registration and provide:
Client Name
Username
Password
Confirm Password
Click Save and Proceed, then Submit.
A confirmation message will confirm successful client registration.
Registered clients will be listed under View All.

Manage NTP Devices
To configure NTP devices, go to Manage NTP Devices → New NTP Device.

Provide the following:
NTP Device Name
NTP Device URL

Click Proceed to add the device. A confirmation message will confirm successful addition.

Manage Policy
To define TSA policies, go to Manage Policies → New Policy.

Provide the following details:
Policy ID
Select the Signed TSA Certificate from the dropdown
NTP Server Name
If you select Mark as Default, the policy will be applied to all clients by default.
Click Proceed to save the policy.
A success message will confirm policy creation.

Time Stamping endpoint for TSA requests

Last updated