-rand

The files containing random data for seeding the random number generator. Multiple files can be specified,the separator is ; for MS-Windows, , for VMS and : for all other platforms. (Optional)

-config

The configuration file to use. Optional; for a description of the default value, see "COMMAND SUMMARY" inopenssl(1).

-data

The data file for which the time stamp request needs to be created. stdin is the default if neither the

-digest

It is possible to specify the message imprint explicitly without the data file. The imprint must bespecified in a hexadecimal format, two characters per byte, the bytes optionally separated by colons (e.g.1A:F6:01:... or 1AF601...). The number of bytes must match the message digest algorithm in use. (Optional)

-[digest]

The message digest to apply to the data file. Any digest supported by the OpenSSL dgst command can beused. The default is SHA-1. (Optional)

-tspolicy

The policy that the client expects the TSA to use for creating the time stamp token. Either the dotted OIDnotation or OID names defined in the config file can be used. If no policy is requested the TSA will useits own default policy. (Optional)

-no_nonce

No nonce is specified in the request if this option is given. Otherwise a 64 bit long pseudo-random noneis included in the request. It is recommended to use nonce to protect against replay-attacks. (Optional)

-cert

The TSA is expected to include its signing certificate in the response. (Optional)

-in

This option specifies a previously created time stamp request in DER format that will be printed into theoutput file. Useful when you need to examine the content of a request in human-readable format. (Optional)

-out

Name of the output file to which the request will be written. Default is stdout. (Optional)

-text

If this option is specified the output is human-readable text format instead of DER. (Optional)Time Stamp Response generationA time stamp response (TimeStampResp) consists of a response status and the time stamp token itself(ContentInfo), if the token generation was successful. The -reply command is for creating a time stampresponse or time stamp token based on a request and printing the response/token in human-readable format. If

-section

The name of the config file section containing the settings for the response generation. If not specifiedthe default TSA section is used, see CONFIGURATION FILE OPTIONS for details. (Optional)

-queryfile

The name of the file containing a DER encoded time stamp request. (Optional)

-passin

Specifies the password source for the private key of the TSA. See PASS PHRASE ARGUMENTS in openssl(1).(Optional)

-signer

The signer certificate of the TSA in PEM format. The TSA signing certificate must have exactly oneextended key usage assigned to it: timeStamping. The extended key usage must also be critical, otherwisethe certificate is going to be refused. Overrides the signer_cert variable of the config file. (Optional)

-inkey

The signer private key of the TSA in PEM format. Overrides the signer_key config file option. (Optional)If no engine is used, the argument is taken as a file; if an engine is specified, the argument is given tothe engine as a key identifier.

-sha1|-sha224|-sha256|-sha384|-sha512

Signing digest to use. Overrides the signer_digest config file option. (Optional)

-chain

The collection of certificates in PEM format that will all be included in the response in addition to thesigner certificate if the -cert option was used for the request. This file is supposed to contain thecertificate chain for the signer certificate from its issuer upwards. The -reply command does not build acertificate chain automatically. (Optional)

-token_in

This flag can be used together with the -in option and indicates that the input is a DER encoded timestamp token (ContentInfo) instead of a time stamp response (TimeStampResp). (Optional)

-token_out

The output is a time stamp token (ContentInfo) instead of time stamp response (TimeStampResp). (Optional)

-engine

Specifying an engine (by its unique id string) will cause ts to attempt to obtain a functional referenceto the specified engine, thus initialising it if needed. The engine will then be set as the default forall available algorithms. Default is builtin. (Optional)Time Stamp Response verificationThe -verify command is for verifying if a time stamp response or time stamp token is valid and matches aparticular time stamp request or data file. The -verify command does not use the configuration file.

-CApath

The name of the directory containing the trusted CA certificates of the client. See the similar option ofverify(1) for additional details. Either this option or -CAfile must be specified. (Optional)

-CAfile

The name of the file containing a set of trusted self-signed CA certificates in PEM format. See thesimilar option of verify(1) for additional details. Either this option or -CApath must be specified.(Optional)

-untrusted

Set of additional untrusted certificates in PEM format which may be needed when building the certificatechain for the TSA's signing certificate. This file must contain the TSA signing certificate and allintermediate CA certificates unless the response includes them. (Optional)verify optionsThe options -attime timestamp, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl,

-ignore_critical

-inhibit_any -inhibit_map -issuer_checks -no_alt_chains -no_check_time

-partial_chain

-policy -policy_check -policy_print -purpose -suiteB_128 -suiteB_128_only

-suiteB_192

-trusted_first -use_deltas -auth_level -verify_depth -verify_email -verify_hostname

-verify_ip

CONFIGURATION FILE OPTIONSThe -query and -reply commands make use of a configuration file. See config(5) for a general description ofthe syntax of the config file. The -query command uses only the symbolic OID names section and it can workwithout it. However, the -reply command needs the config file for its operation.When there is a command line switch equivalent of a variable the switch always overrides the settings in theconfig file.tsa section, default_tsaThis is the main section and it specifies the name of another section that contains all the options forthe -reply command. This default section can be overridden with the -section command line switch.(Optional)oid_fileSee ca(1) for description. (Optional)oid_sectionSee ca(1) for description. (Optional)RANDFILESee ca(1) for description. (Optional)serialThe name of the file containing the hexadecimal serial number of the last time stamp response created.This number is incremented by 1 for each response. If the file does not exist at the time of responsegeneration a new file is created with serial number 1. (Mandatory)crypto_deviceSpecifies the OpenSSL engine that will be set as the default for all available algorithms. The defaultvalue is builtin, you can specify any other engines supported by OpenSSL (e.g. use chil for the NCipherHSM). (Optional)signer_certTSA signing certificate in PEM format. The same as the -signer command line option. (Optional)certsA file containing a set of PEM encoded certificates that need to be included in the response. The same asthe -chain command line option. (Optional)signer_keyThe private key of the TSA in PEM format. The same as the -inkey command line option. (Optional)signer_digestSigning digest to use. The same as the -sha1|-sha224|-sha256|-sha384|-sha512 command line option.(Optional)default_policyThe default policy to use when the request does not mandate any policy. The same as the -tspolicy commandline option. (Optional)other_policiesComma separated list of policies that are also acceptable by the TSA and used only if the requestexplicitly specifies one of them. (Optional)digestsThe list of message digest algorithms that the TSA accepts. At least one algorithm must be specified.(Mandatory)accuracyThe accuracy of the time source of the TSA in seconds, milliseconds and microseconds. E.g. secs:1,millisecs:500, microsecs:100. If any of the components is missing zero is assumed for that field.(Optional)clock_precision_digitsSpecifies the maximum number of digits, which represent the fraction of seconds, that need to be includedin the time field. The trailing zeroes must be removed from the time, so there might actually be fewerdigits, or no fraction of seconds at all. Supported only on UNIX platforms. The maximum value is 6,default is 0. (Optional)orderingIf this option is yes the responses generated by this TSA can always be ordered, even if the timedifference between two responses is less than the sum of their accuracies. Default is no. (Optional)tsa_nameSet this option to yes if the subject name of the TSA must be included in the TSA name field of theresponse. Default is no. (Optional)ess_cert_id_chainThe SignedData objects created by the TSA always contain the certificate identifier of the signingcertificate in a signed attribute (see RFC 2634, Enhanced Security Services). If this option is set to yesand either the certs variable or the -chain option is specified then the certificate identifiers of thechain will also be included in the SigningCertificate signed attribute. If this variable is set to no,only the signing certificate identifier is included. Default is no. (Optional)EXAMPLESAll the examples below presume that OPENSSL_CONF is set to a proper configuration file, e.g. the exampleconfiguration file openssl/apps/openssl.cnf will do.Time Stamp RequestTo create a time stamp request for design1.txt with SHA-1 without nonce and policy and no certificate isrequired in the response:openssl ts -query -data design1.txt -no_nonce \