Timestamping (TSA)

Timestamping adds cryptographic proof of exactly when a document was signed. This creates Long-Term Validation (LTV) that remains verifiable for decades, even after your digital certificate expires.

What is Timestamping?

A timestamp is a digitally signed assertion from a trusted third party (Timestamp Authority or TSA) that certifies:

The document existed at a specific moment
The exact time down to the second
Independent verification - not from your server

Think of it as a digital notary’s date stamp that can never be forged or disputed.

Why Timestamps Matter

The Problem They Solve

Without timestamps, several issues arise:

Problem	Risk	Example
Backdating	Someone claims document was signed earlier	Antedating a contract
Expiration disputes	Unclear if signed before deadline	Insurance claims
Certificate expiry	Signature invalid after cert expires	Old agreements
Time manipulation	Server clock changes	Fraud attempts

The Solution Timestamps Provide

Benefit	How Timestamps Help
Immutable proof	Third-party certifies the exact moment
Long-term validity	Valid decades after certificate expires
Independent verification	Not dependent on your server
Non-repudiation	Signer cannot claim different date
Regulatory compliance	Meets strict archival requirements

Legal Importance

Long-Term Validation (LTV)

LTV ensures signatures remain valid indefinitely:

Without LTV	With LTV (Timestamp)
Signature expires with certificate	Signature valid forever
Must verify against expired cert	Timestamp proves signing date
Questionable after years	Holds up in court decades later
Not suitable for archives	Perfect for long-term storage

Regulatory Requirements

Many regulations require or recommend timestamping:

Regulation	Timestamping Requirement
eIDAS (EU)	Required for Qualified Signatures
FDA 21 CFR Part 11	Required for pharma records
HIPAA	Recommended for healthcare records
SOX	Recommended for financial records
ISO 27001	Best practice for compliance

Court Acceptability

In legal proceedings, timestamps provide:

Definitive proof of when signature occurred
Third-party validation (not self-asserted)
Cryptographic evidence that’s mathematically verifiable
Chain of custody for document timing

How Timestamping Works

The Technical Process

When WPsigner creates a timestamp:

1. Document Hash Created
   └─ SHA-256 hash of the signed document

2. Timestamp Request Sent
   └─ Hash sent to TSA server (not the document)

3. TSA Signs the Hash + Time
   └─ TSA adds current time and digitally signs

4. Timestamp Response Returned
   └─ Signed timestamp token received

5. Timestamp Embedded in PDF
   └─ Token stored in document signature

What Gets Sent to TSA?

Only the document hash - not the document itself.

Sent	NOT Sent
SHA-256 hash (32 bytes)	Document content
	Signer information
	Any personal data

This means your documents remain completely private while still getting verified timestamps.

Verification Process

When someone verifies a timestamped document:

Adobe extracts the timestamp token
Verifies TSA’s digital signature
Confirms the hash matches the document
Displays the verified signing time

RFC 3161 Standard

What is RFC 3161?

RFC 3161 is the Internet standard for trusted timestamping, published by the IETF. It defines:

Request/response format
Cryptographic requirements
Trust model
Implementation guidelines

RFC 3161 Compliance

WPsigner fully implements RFC 3161:

Feature	Status
Standard request format	✅ Compliant
SHA-256 hash algorithm	✅ Supported
Nonce inclusion	✅ Implemented
Certificate chain	✅ Embedded
Response validation	✅ Verified

Configuring Timestamping

Accessing TSA Settings

Go to WPsigner → More → Security or Settings → Security
Find the Timestamping section
Enable timestamping with the toggle

Configuration Options

Setting	Description	Example
Enable Timestamping	Turn on/off	On
TSA URL	Timestamp server address	https://freetsa.org/tsr
TSA Username	If authentication required	(optional)
TSA Password	If authentication required	(optional)
Hash Algorithm	Hash type to use	SHA-256

Default Configuration

WPsigner comes pre-configured with FreeTSA.org:

TSA URL: https://freetsa.org/tsr
Authentication: None required
Hash: SHA-256

This works immediately with no configuration needed.

Timestamp Authorities

Free TSA Services

Provider	URL	Notes
FreeTSA.org	https://freetsa.org/tsr	Free, reliable
DigiCert	https://timestamp.digicert.com	Free tier available
Sectigo	http://timestamp.sectigo.com	Free
Apple	http://timestamp.apple.com/ts01	Free

Commercial TSA Services

For higher volumes or SLA guarantees:

Provider	Features	Pricing
DigiCert	High availability, support	Contact sales
GlobalSign	Enterprise SLA	Contact sales
SwissSign	Swiss privacy laws	Contact sales
Entrust	Government-grade	Contact sales

Choosing a TSA

Consider these factors:

Factor	Importance	Notes
Reliability	Critical	Must be available 24/7
Speed	Important	Should respond in < 1 second
Trust	Critical	Well-known, established provider
Location	Consider	May matter for data residency
Cost	Variable	Free options available

[!TIP] For most users, FreeTSA.org or DigiCert’s free service is sufficient. Only consider paid services for enterprise volumes (1000+ documents/day) or strict SLA requirements.

Testing Your Configuration

Manual Test

Go to WPsigner → More → Security
Click Test Timestamp Server
WPsigner sends a test request
Result shows success or error message

Verify in Signed PDF

Create and sign a test document
Download the completed PDF
Open in Adobe Reader
Click on the signature
View signature details
Check for “Timestamp” entry with time

What Success Looks Like

In Adobe Reader, you’ll see:

Signature is VALID
- Signed by: Your Name
- Signing time: Jan 15, 2026 2:30:15 PM
- The signature includes an embedded timestamp ✅
- Timestamp verified by: FreeTSA

Understanding Timestamp Validity

Timestamp vs Certificate Expiry

Scenario	Signature Status
Certificate valid, no timestamp	✅ Valid until cert expires
Certificate expired, no timestamp	⚠️ Validity unknown
Certificate valid, with timestamp	✅ Valid
Certificate expired, with timestamp	✅ Still valid (LTV)

Long-Term Validation Explained

With a timestamp, validity works like this:

At signing time: Certificate was valid → timestamp records this
Years later: Certificate has expired
Verification: Timestamp proves cert was valid when signed
Result: Signature still valid, indefinitely

This is why timestamps are essential for documents you need to keep for years.

Performance Considerations

Timestamp Request Time

Each document requires a round-trip to the TSA:

Factor	Impact
TSA location	Closer = faster
Network latency	Typically 100-500ms
TSA load	Varies by provider
Your server location	Affects latency

Optimization

For high-volume signing:

Use a reliable TSA - Avoid slow or unreliable servers
Consider location - Use geographically close TSA
Background processing - Timestamp asynchronously if possible
Caching - Not applicable (each doc needs unique timestamp)

Troubleshooting

”Timestamp request failed”

Causes:

TSA server is down
Network connectivity issues
Incorrect TSA URL
Firewall blocking requests

Solutions:

Test the TSA URL directly: curl -I https://freetsa.org/tsr
Try a different TSA server
Check firewall rules for outbound HTTPS
Verify server has internet access

”Invalid timestamp response”

Causes:

TSA server misconfiguration
Response format error
Certificate chain issue

Solutions:

Try a different TSA
Update PHP OpenSSL extension
Check PHP error logs for details

”Timestamp not appearing in PDF”

Causes:

Timestamping not enabled
TSA request failed silently
PDF generation issue

Solutions:

Verify timestamping is enabled in settings
Check that test timestamp works
Review document generation logs

Comparing With and Without Timestamps

Document Without Timestamp

┌─────────────────────────────────────┐
│ Signed PDF                          │
│ ┌─────────────────────────────────┐ │
│ │ Digital Signature               │ │
│ │ • Signed: [Server time]         │ │
│ │ • Certificate valid until 2027  │ │
│ └─────────────────────────────────┘ │
│                                     │
│ ⚠️ In 2028: "Certificate expired,  │
│    signature validity unknown"      │
└─────────────────────────────────────┘

Document With Timestamp

┌─────────────────────────────────────┐
│ Signed PDF with Timestamp           │
│ ┌─────────────────────────────────┐ │
│ │ Digital Signature               │ │
│ │ • Signed: Jan 15, 2026 2:30 PM │ │
│ │ • Certificate valid until 2027  │ │
│ │ ┌───────────────────────────┐   │ │
│ │ │ RFC 3161 Timestamp        │   │ │
│ │ │ • Time: Jan 15, 2026      │   │ │
│ │ │ • TSA: FreeTSA.org        │   │ │
│ │ │ • Hash verified ✓         │   │ │
│ │ └───────────────────────────┘   │ │
│ └─────────────────────────────────┘ │
│                                     │
│ ✅ In 2028 and beyond: "Signature  │
│    valid. Timestamp verified."      │
└─────────────────────────────────────┘

Frequently Asked Questions

Is timestamping required for legal validity?

For basic e-signatures in the US, no. However, timestamps are required or recommended for:

European qualified signatures (eIDAS)
Pharmaceutical submissions (FDA)
Long-term archival documents
High-value contracts

Does timestamping slow down signing?

Minimally. Typical overhead is 100-500ms per document. Users won’t notice this in the signing flow.

What if the TSA is down?

WPsigner will:

Retry the request
If still failing, complete signature without timestamp
Log the failure for your review

You can enforce timestamps by enabling “Require Timestamp” in settings.

Can I add timestamps to old documents?

No. Timestamps must be applied at signing time. They prove when the signature was created - adding one later would defeat the purpose.

Next Steps

Digital ID - Configure your certificate
Audit Trails - Understanding the legal record
Compliance - Regulatory requirements