RFC 3161 & Authenticode compatible timestamp signing service, supporting multiple cryptographic algorithms. Powered by Cloudflare Workers.
Fully compatible with RFC 3161 Timestamp Protocol and Microsoft Authenticode legacy format for PE/DLL code signing.
Custom signing time via URL path. Deployed on Cloudflare Workers edge network with global low-latency and zero cold start.
Supports RSA (2048/3072/4096), ECC (P-256/P-384/P-521), SM2 with SHA-1/SHA-2/SM3 hash algorithms.
| Method | Path | Description |
|---|---|---|
| GET | / | Service info page |
| GET | /info | Service configuration (JSON) |
| GET | /health | Health check endpoint |
| POST | / | Timestamp request (real time) |
| POST | /{datetime} | Timestamp request (custom time) |
# Sign with real timestamp
signtool sign /tr http://your-domain/ /td SHA256 /fd SHA256 /f cert.pfx file.exe
# Sign with custom timestamp (fake time)
signtool sign /tr http://your-domain/2020-01-01T00:00:00 /td SHA256 /fd SHA256 /f cert.pfx file.exe
# Legacy Authenticode timestamp (SHA-1)
signtool sign /t http://your-domain/ /f cert.pfx file.exe
# Authenticode with custom time
signtool sign /t http://your-domain/2020-06-15T12:00:00 /f cert.pfx file.exe
# RFC 3161 request
curl -X POST -H "Content-Type: application/timestamp-query" \
--data-binary @request.tsq http://your-domain/ \
-o response.tsr
| Variable | Required | Description |
|---|---|---|
| TSA_CERT | Yes | PEM-encoded TSA certificate |
| TSA_KEYS | Yes | PEM-encoded private key (PKCS#8) |
| TSA_TYPE | No | Key type: RSA, EC-P256, EC-P384, EC-P521, SM2 (default: RSA) |
| TSA_FAKE | No | Allow custom timestamp: "true" or "false" (default: "false") |