Setting Up Time Stamping

Time Stamping in emCA allows administrators to configure and manage a Time Stamping Authority (TSA) for providing trusted timestamp services. The setup involves creating key profiles, generating key pairs and CSRs, issuing TSA certificates, and registering clients. This section provides a step-by-step guide to complete the configuration and enable timestamping in emCA.

Manage Key Profile

To begin configuring Time Stamping, log in to the eMudhra TSA portal with your credentials.

Navigate to Manage Timestamping Signer → Manage Key Profile → New Profile.

Enter the following details:

  • Profile Name: Identifier for the key profile

  • Profile Type: Location where the key profile is generated

  • Configuration Type: Select the configuration type (e.g., PKCS11)

  • HSM Password: Provide the hardware security module password

Click Confirm to complete the key profile creation.

The new profile will be listed under Manage Key Profiles → View All.

Manage Key Pair

Next, generate a key pair using the key profile created in the previous step.

Go to Manage Timestamping Signer → Manage Key Pair → Generate Key Pair and provide:

  • Number of Keys

  • Key Profile (select the one you just created)

  • Signature Algorithm

  • Key Algorithm & Size

Click Generate Key Pair to create the key pair.

The generated key pair will appear under View All.

To generate a CSR (Certificate Signing Request), click on the Action icon of the created key pair. Enter the required Subject DN details:

  • Common Name

  • Organization

  • Organization Unit

  • Country

Click Save and Proceed, then Create to generate the CSR.

Download the CSR for signing by the CA.

TSA Certificate Profile Creation

Log in as an Administrator and navigate to Manage Profiles → Certificate Profiles → X.509.

Provide the following basic information:

  • Profile Type: User

  • Sub Type: New

  • Profile Name: Identifier for the TSA profile

  • Validity: Certificate validity period

  • Issuing CA: Select the appropriate issuing CA

  • Signature Algorithm: Select the preferred algorithm

Add the required Subject DN details:

  • Common Name

  • Country

  • Organization

  • Organization Unit

Configure X.509 Certificate Extensions, such as:

  • Basic Constraints

  • Key Usage

  • Enhanced Key Usage

  • Authority Key Identifier

  • Subject Key Identifier

  • Authority Information Access

  • CRL Distribution Points

  • Certificate Policy

Click Proceed and authenticate to complete the creation.

The profile will be available under View All.

Sign CSR – TSA Certificate

Log in as an Officer and navigate to Manage User Certificate → Sign CSR.

  • Upload the CSR generated earlier

  • Select the TSA Certificate Profile created by the Administrator

  • Choose the Certifying Authority (Root CA or relevant issuer)

Click Proceed to view CSR details, then authenticate as an Officer.

Once authenticated, click Sign CSR to generate the signed certificate.

The signed certificate will be ready for download.

Signed Certificate

Manage TSA Certificate

Log in as TSA Admin and navigate to Manage Timestamping Signer → Manage TSA Certificates.

Click Import Issuer Certificate and upload the Root/Issuer CA certificate. A success message will confirm the import.

Click the Import action for the TSA Auth Certificate and upload the signed TSA certificate. A success response will be displayed upon successful import.

The signed TSA certificate will now be visible under the TSA Certificates list.

Client Registration – TSA Services

To register clients for TSA services, log in as TSA Admin.

Go to Client Registration → New Registration and provide:

  • Client Name

  • Username

  • Password

  • Confirm Password

Click Save and Proceed, then Submit.

A confirmation message will confirm successful client registration.

Registered clients will be listed under View All.

Manage NTP Devices

To configure NTP devices, go to Manage NTP Devices → New NTP Device.

Provide the following:

  • NTP Device Name

  • NTP Device URL

Click Proceed to add the device. A confirmation message will confirm successful addition.

Manage Policy

To define TSA policies, go to Manage Policies → New Policy.

Provide the following details:

  • Policy ID

  • Select the Signed TSA Certificate from the dropdown

  • NTP Server Name

If you select Mark as Default, the policy will be applied to all clients by default.

Click Proceed to save the policy. A success message will confirm policy creation.

Time Stamping endpoint for TSA requests

Last updated