wolfSSL · SparkiDev · Jun 25, 2026
diff --git a/.github/workflows/no-malloc.yml b/.github/workflows/no-malloc.yml
@@ -1,3 +1,3 @@
 name: No Malloc Tests

 # START OF COMMON SECTION
@@ -74,6 +74,14 @@
             "--enable-curve448", "--enable-mlkem", "--enable-staticmemory",
             "CFLAGS=-DWOLFSSL_NO_MALLOC -pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"],
            "check": false,
+           "run": [["./wolfcrypt/test/testwolfcrypt"]]},
+          {"name": "tps-staticmemory", "minutes": 0.8,
+           "configure": ["--enable-ecc", "--enable-rsa", "--enable-keygen",
+            "--enable-ed25519", "--enable-curve25519", "--enable-ed448",
+            "--enable-curve448", "--enable-mlkem", "--enable-tsp",
+            "--enable-staticmemory",
+            "CFLAGS=-DWOLFSSL_NO_MALLOC -pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"],
+           "check": false,
            "run": [["./wolfcrypt/test/testwolfcrypt"]]}
           ]
           EOF

diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml
@@ -1,3 +1,3 @@
 name: Ubuntu-Macos-Windows Tests

 # START OF COMMON SECTION
@@ -306,6 +306,37 @@
           {"name": "pkcs7", "minutes": 1.3,
            "comment": "PKCS#7 without RSA-PSS",
            "configure": ["--enable-pkcs7"]},
+          {"name": "tsp", "minutes": 1.3,
+           "comment": "Time-Stamp Protocol",
+           "configure": ["--enable-tsp"]},
+          {"name": "tsp-openssl", "minutes": 1.3,
+           "comment": "Time-Stamp Protocol with OpenSSL compat",
+           "configure": ["--enable-tsp", "--enable-opensslall"]},
+          {"name": "tsp-no-ecc", "minutes": 1.3,
+           "comment": "Time-Stamp Protocol without ECC",
+           "configure": ["--enable-tsp", "--disable-ecc"]},
+          {"name": "tsp-no-rsa", "minutes": 1.3,
+           "comment": "Time-Stamp Protocol without RSA",
+           "configure": ["--enable-tsp", "--disable-rsa"]},
+          {"name": "tsp-smallstack", "minutes": 1.3,
+           "comment": "Time-Stamp Protocol Small Stack",
+           "configure": ["--enable-tsp", "CPPFLAGS=-DWOLFSSL_SMALL_STACK"]},
+          {"name": "tsp-min-hash-str", "minutes": 1.3,
+           "comment": "Time-Stamp Protocol Minimum 128-bit hash strength",
+           "configure": ["--enable-tsp",
+           "CPPFLAGS=-DWC_TSP_MIN_HASH_STRENGTH_BITS=128"]},
+          {"name": "tsp-requester", "minutes": 1.3,
+           "comment": "Time-Stamp Protocol Requester",
+           "configure": ["--enable-tsp", "--enable-opensslall",
+           "CPPFLAGS=-DWOLFSSL_TSP_REQUESTER"]},
+          {"name": "tsp-responder", "minutes": 1.3,
+           "comment": "Time-Stamp Protocol Responder",
+           "configure": ["--enable-tsp", "--enable-opensslall",
+           "CPPFLAGS=-DWOLFSSL_TSP_RESPONDER"]},
+          {"name": "tsp-verifier", "minutes": 1.3,
+           "comment": "Time-Stamp Protocol Verifier",
+           "configure": ["--enable-tsp", "--enable-opensslall",
+           "CPPFLAGS=-DWOLFSSL_TSP_VERIFIER"]},
           {"name": "no-tls-cryptocb-aesgcm-setkey-free", "minutes": 1.3,
            "configure": ["--disable-tls", "--enable-cryptocb", "--enable-aesgcm",
             "CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"]},

diff --git a/.gitignore b/.gitignore
@@ -72,6 +72,9 @@ examples/sctp/sctp-client-dtls
 examples/asn1/asn1
 examples/pem/pem
 examples/ocsp_responder/ocsp_responder
+examples/tsp/tsp_query
+examples/tsp/tsp_reply
+examples/tsp/tsp_verify
 server_ready
 snifftest
 output

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -2021,6 +2021,9 @@ endif()
 set(WOLFSSL_PKCS7_HELP_STRING "Enable PKCS7 (default: disabled)")
 add_option(WOLFSSL_PKCS7 ${WOLFSSL_PKCS7_HELP_STRING} "no" "yes;no")
 
+set(WOLFSSL_TSP_HELP_STRING "Enable RFC 3161 Time-Stamp Protocol (default: disabled)")
+add_option(WOLFSSL_TSP ${WOLFSSL_TSP_HELP_STRING} "no" "yes;no")
+
 set(WOLFSSL_TPM_HELP_STRING "Enable wolfTPM options (default: disabled)")
 add_option(WOLFSSL_TPM ${WOLFSSL_TPM_HELP_STRING} "no" "yes;no")
 
@@ -2412,6 +2415,12 @@ if(WOLFSSL_AESCFB)
 endif()
 
 
+if(WOLFSSL_TSP)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_TSP")
+    # Requires PKCS7 for time-stamp token creation and verification
+    override_cache(WOLFSSL_PKCS7 "yes")
+endif()
+
 if(WOLFSSL_PKCS7)
     list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_PKCS7")
     override_cache(WOLFSSL_AESKEYWRAP "yes")
@@ -2965,6 +2974,8 @@ if(WOLFSSL_EXAMPLES)
         tests/api/test_asn.c
         tests/api/test_pkcs7.c
         tests/api/test_pkcs12.c
+        tests/api/test_tsp.c
+        tests/api/test_ossl_tsp.c
         tests/api/test_pwdbased.c
         tests/api/test_ossl_asn1.c
         tests/api/test_ossl_bio.c

diff --git a/certs/include.am b/certs/include.am
@@ -37,6 +37,14 @@ EXTRA_DIST += \
              certs/client-ca-cert.pem \
              certs/dh2048.pem \
              certs/server-cert.pem \
+             certs/tsa-bad-ku-cert.pem \
+             certs/tsa-extra-eku-cert.pem \
+             certs/tsa-chain-cert.pem \
+             certs/tsa-chain-key.pem \
+             certs/tsa-cert.pem \
+             certs/tsa-ecc-cert.pem \
+             certs/tsa-ecc-key.pem \
+             certs/tsa-key.pem \
              certs/server-ecc.pem \
              certs/server-ecc-self.pem \
              certs/server-ecc-comp.pem \
@@ -119,6 +127,14 @@ EXTRA_DIST += \
              certs/ecc-keyPub.der \
              certs/server-key.der \
              certs/server-cert.der \
+             certs/tsa-key.der \
+             certs/tsa-cert.der \
+             certs/tsa-ecc-key.der \
+             certs/tsa-ecc-cert.der \
+             certs/tsa-bad-ku-cert.der \
+             certs/tsa-extra-eku-cert.der \
+             certs/tsa-chain-cert.der \
+             certs/tsa-chain-key.der \
              certs/server-ecc-comp.der \
              certs/server-ecc.der \
              certs/server-ecc-self.der \

diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
@@ -39,6 +39,16 @@
 #                       aia/multi-aia-cert.pem
 #                       aia/overflow-aia-cert.pem
 #                       sia/timestamping-sia-cert.pem
+#                       tsa-cert.pem
+#                       tsa-cert.der
+#                       tsa-ecc-cert.pem
+#                       tsa-ecc-cert.der
+#                       tsa-bad-ku-cert.pem
+#                       tsa-bad-ku-cert.der
+#                       tsa-extra-eku-cert.pem
+#                       tsa-extra-eku-cert.der
+#                       tsa-chain-cert.pem
+#                       tsa-chain-cert.der
 # updates the following crls:
 #                       crl/cliCrl.pem
 #                       crl/crl.pem
@@ -216,6 +226,112 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
 
+    ############################################################
+    ######## update the self-signed (2048-bit) tsa-cert.pem ###
+    ############################################################
+    echo "Updating 2048-bit tsa-cert.pem"
+    echo ""
+    openssl req -new -key tsa-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-cert.csr
+    check_result $? "Step 1"
+
+    openssl x509 -req -in tsa-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_cert -signkey tsa-key.pem -out tsa-cert.pem
+    check_result $? "Step 2"
+    rm tsa-cert.csr
+
+    openssl x509 -in tsa-cert.pem -text > tmp.pem
+    check_result $? "Step 3"
+    mv tmp.pem tsa-cert.pem
+
+    openssl x509 -in tsa-cert.pem -outform der -out tsa-cert.der
+    check_result $? "Step 4"
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+
+    ############################################################
+    ## update the intermediate-issued tsa-chain-cert.pem ######
+    ############################################################
+    echo "Updating 2048-bit tsa-chain-cert.pem"
+    echo ""
+    openssl req -new -key tsa-chain-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-chain-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-chain-cert.csr
+    check_result $? "Step 1"
+
+    openssl x509 -req -in tsa-chain-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_cert -CA intermediate/ca-int-cert.pem -CAkey intermediate/ca-int-key.pem -CAcreateserial -out tsa-chain-cert.pem
+    check_result $? "Step 2"
+    rm tsa-chain-cert.csr
+    rm -f intermediate/ca-int-cert.srl
+
+    openssl x509 -in tsa-chain-cert.pem -text > tmp.pem
+    check_result $? "Step 3"
+    mv tmp.pem tsa-chain-cert.pem
+
+    openssl x509 -in tsa-chain-cert.pem -outform der -out tsa-chain-cert.der
+    check_result $? "Step 4"
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+
+    ############################################################
+    ########## update the self-signed tsa-ecc-cert.pem ########
+    ############################################################
+    echo "Updating tsa-ecc-cert.pem"
+    echo ""
+    openssl req -new -key tsa-ecc-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-ecc-cert.csr
+    check_result $? "Step 1"
+
+    openssl x509 -req -in tsa-ecc-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_cert -signkey tsa-ecc-key.pem -out tsa-ecc-cert.pem
+    check_result $? "Step 2"
+    rm tsa-ecc-cert.csr
+
+    openssl x509 -in tsa-ecc-cert.pem -text > tmp.pem
+    check_result $? "Step 3"
+    mv tmp.pem tsa-ecc-cert.pem
+
+    openssl x509 -in tsa-ecc-cert.pem -outform der -out tsa-ecc-cert.der
+    check_result $? "Step 4"
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+
+    ############################################################
+    ## update the self-signed (2048-bit) tsa-bad-ku-cert.pem ##
+    ############################################################
+    echo "Updating 2048-bit tsa-bad-ku-cert.pem"
+    echo ""
+    openssl req -new -key tsa-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-bad-ku-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-bad-ku-cert.csr
+    check_result $? "Step 1"
+
+    openssl x509 -req -in tsa-bad-ku-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_bad_ku_cert -signkey tsa-key.pem -out tsa-bad-ku-cert.pem
+    check_result $? "Step 2"
+    rm tsa-bad-ku-cert.csr
+
+    openssl x509 -in tsa-bad-ku-cert.pem -text > tmp.pem
+    check_result $? "Step 3"
+    mv tmp.pem tsa-bad-ku-cert.pem
+
+    openssl x509 -in tsa-bad-ku-cert.pem -outform der -out tsa-bad-ku-cert.der
+    check_result $? "Step 4"
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+
+    ###############################################################
+    ## update the self-signed (2048-bit) tsa-extra-eku-cert.pem ##
+    ###############################################################
+    echo "Updating 2048-bit tsa-extra-eku-cert.pem"
+    echo ""
+    openssl req -new -key tsa-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-extra-eku-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-extra-eku-cert.csr
+    check_result $? "Step 1"
+
+    openssl x509 -req -in tsa-extra-eku-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_extra_eku_cert -signkey tsa-key.pem -out tsa-extra-eku-cert.pem
+    check_result $? "Step 2"
+    rm tsa-extra-eku-cert.csr
+
+    openssl x509 -in tsa-extra-eku-cert.pem -text > tmp.pem
+    check_result $? "Step 3"
+    mv tmp.pem tsa-extra-eku-cert.pem
+
+    openssl x509 -in tsa-extra-eku-cert.pem -outform der -out tsa-extra-eku-cert.der
+    check_result $? "Step 4"
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+
     ############################################################
     #### update the self-signed (1024-bit) client-cert.pem #####
     ############################################################

diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf
@@ -452,3 +452,30 @@ DNS.1 = www.example.org
 URI.1 = https://www.wolfssl.com/
 otherName.2 = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB
 
+
+# TSA certificate extensions - RFC 3161 time-stamping only
+[ tsa_cert ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:false
+subjectAltName = DNS:tsa.wolfssl.com
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, timeStamping
+
+# TSA certificate extensions with wrong key usage - for failure testing
+[ tsa_bad_ku_cert ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:false
+keyUsage = critical, keyEncipherment
+extendedKeyUsage = critical, timeStamping
+
+# TSA certificate extensions with an extra (non-timeStamping) extended key
+# usage - for failure testing. The extra purpose is an unrecognized OID so the
+# time-stamping bit is still the only one set; rejection relies on the count.
+[ tsa_extra_eku_cert ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:false
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, timeStamping, 1.3.6.1.4.1.99999.1
diff --git a/certs/tsa-bad-ku-cert.der b/certs/tsa-bad-ku-cert.der
diff --git a/certs/tsa-bad-ku-cert.pem b/certs/tsa-bad-ku-cert.pem
@@ -0,0 +1,93 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            7d:ef:e7:fe:70:74:73:af:df:71:6b:d3:ba:fb:d0:4b:a3:50:26:d3
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-bad-ku-2048, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
+        Validity
+            Not Before: Jun  4 20:35:37 2026 GMT
+            Not After : Feb 28 20:35:37 2029 GMT
+        Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=TSA-bad-ku-2048, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:93:74:96:f0:0c:fd:d7:2a:5a:a0:a1:6e:b4:63:
+                    b7:f4:e6:8b:77:8f:49:f7:a9:0c:b3:3d:5a:60:a8:
+                    b8:67:75:b8:d0:ce:ba:ce:65:e5:64:a2:d0:c8:d0:
+                    2c:5b:a8:a5:d3:3f:2c:46:07:e6:b1:b7:a5:65:f8:
+                    9f:89:e1:93:bc:49:cd:55:fd:9b:a1:1e:1e:f7:99:
+                    07:4a:1c:c8:b6:88:a2:5e:77:a5:3f:79:2f:d3:43:
+                    41:f6:cf:ff:78:30:89:12:b1:0c:3f:f5:2f:62:e6:
+                    71:33:02:70:d9:42:1b:e4:07:9c:9d:c7:5e:5b:4e:
+                    93:8f:6b:0e:fe:5b:7e:02:6f:8d:e8:7d:e9:aa:1d:
+                    12:f2:6b:a4:55:61:59:e0:3a:38:b0:14:41:9d:bb:
+                    c6:e0:6a:9d:35:a8:08:f2:3c:29:b9:a7:b2:38:47:
+                    f6:70:1a:b8:d2:d5:c9:48:f0:ee:60:1d:14:77:8a:
+                    2c:38:90:29:7f:42:e4:dd:92:0a:8d:03:88:44:0a:
+                    f0:b6:14:bd:e5:11:50:94:26:fb:3e:ab:17:69:3d:
+                    a6:45:c7:ad:86:41:66:e6:53:e5:dc:d8:4a:04:c7:
+                    af:fb:a7:df:99:77:57:d9:25:7c:67:73:3d:ee:60:
+                    f3:63:2d:68:0f:97:da:68:d5:3d:e5:06:92:82:dd:
+                    90:25
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                C0:19:81:BB:D6:3D:BB:41:E8:22:1A:08:50:AD:57:FB:E5:B5:EA:9D
+            X509v3 Authority Key Identifier: 
+                keyid:C0:19:81:BB:D6:3D:BB:41:E8:22:1A:08:50:AD:57:FB:E5:B5:EA:9D
+                DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-bad-ku-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:7D:EF:E7:FE:70:74:73:AF:DF:71:6B:D3:BA:FB:D0:4B:A3:50:26:D3
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Key Encipherment
+            X509v3 Extended Key Usage: critical
+                Time Stamping
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1c:b5:98:0a:98:28:90:9f:7c:ff:d9:d4:3b:92:3d:b3:7c:d6:
+        9b:b4:88:59:0d:cd:58:7a:6a:ad:f0:6f:f3:ed:5e:57:d7:14:
+        3e:64:50:1c:11:33:ab:62:09:f1:8f:58:15:93:25:20:ed:f3:
+        cb:ed:a3:d2:21:7c:c2:02:14:fa:61:cf:20:13:8a:6b:f1:95:
+        81:94:e8:d7:fd:24:13:fb:87:e3:2c:fb:4e:d7:ce:46:ab:fd:
+        21:bc:93:b8:0d:88:2a:76:b6:02:f9:ef:58:fc:36:b5:11:5a:
+        07:62:0d:a3:1a:e6:77:a7:28:b2:0e:c6:b1:a4:66:52:99:11:
+        90:11:4a:d7:98:e5:9f:b1:e7:99:fe:a6:66:66:5e:1e:52:bb:
+        b8:e7:bd:e9:95:d4:03:47:de:c7:cd:f7:58:67:af:12:57:28:
+        33:a7:34:ef:74:2f:6c:67:43:29:6d:57:80:b4:2d:67:21:2a:
+        52:41:97:1d:2d:af:2c:c7:1f:c8:20:6d:9a:79:82:f7:a6:3b:
+        97:5b:1a:bc:f4:2a:d9:df:a6:45:db:a2:c1:83:5a:39:ef:f9:
+        6f:f7:14:42:30:0f:52:71:6e:6b:05:19:ca:51:4e:a0:f1:4a:
+        ba:6f:95:46:3d:ea:1a:ab:e3:37:bd:30:ba:b9:b5:30:fd:97:
+        e4:7a:49:d4
+-----BEGIN CERTIFICATE-----
+MIIE8zCCA9ugAwIBAgIUfe/n/nB0c6/fcWvTuvvQS6NQJtMwDQYJKoZIhvcNAQEL
+BQAwgZgxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMRAwDgYDVQQKDAd3b2xmU1NMMRgwFgYDVQQLDA9UU0EtYmFkLWt1LTIw
+NDgxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m
+b0B3b2xmc3NsLmNvbTAeFw0yNjA2MDQyMDM1MzdaFw0yOTAyMjgyMDM1MzdaMIGY
+MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1h
+bjEQMA4GA1UECgwHd29sZlNTTDEYMBYGA1UECwwPVFNBLWJhZC1rdS0yMDQ4MRgw
+FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
+ZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTdJbwDP3X
+KlqgoW60Y7f05ot3j0n3qQyzPVpgqLhndbjQzrrOZeVkotDI0CxbqKXTPyxGB+ax
+t6Vl+J+J4ZO8Sc1V/ZuhHh73mQdKHMi2iKJed6U/eS/TQ0H2z/94MIkSsQw/9S9i
+5nEzAnDZQhvkB5ydx15bTpOPaw7+W34Cb43ofemqHRLya6RVYVngOjiwFEGdu8bg
+ap01qAjyPCm5p7I4R/ZwGrjS1clI8O5gHRR3iiw4kCl/QuTdkgqNA4hECvC2FL3l
+EVCUJvs+qxdpPaZFx62GQWbmU+Xc2EoEx6/7p9+Zd1fZJXxncz3uYPNjLWgPl9po
+1T3lBpKC3ZAlAgMBAAGjggExMIIBLTAdBgNVHQ4EFgQUwBmBu9Y9u0HoIhoIUK1X
+++W16p0wgdgGA1UdIwSB0DCBzYAUwBmBu9Y9u0HoIhoIUK1X++W16p2hgZ6kgZsw
+gZgxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRgwFgYDVQQLDA9UU0EtYmFkLWt1LTIwNDgx
+GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbYIUfe/n/nB0c6/fcWvTuvvQS6NQJtMwCQYDVR0TBAIwADAOBgNV
+HQ8BAf8EBAMCBSAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwDQYJKoZIhvcNAQEL
+BQADggEBABy1mAqYKJCffP/Z1DuSPbN81pu0iFkNzVh6aq3wb/PtXlfXFD5kUBwR
+M6tiCfGPWBWTJSDt88vto9IhfMICFPphzyATimvxlYGU6Nf9JBP7h+Ms+07Xzkar
+/SG8k7gNiCp2tgL571j8NrURWgdiDaMa5nenKLIOxrGkZlKZEZARSteY5Z+x55n+
+pmZmXh5Su7jnvemV1ANH3sfN91hnrxJXKDOnNO90L2xnQyltV4C0LWchKlJBlx0t
+ryzHH8ggbZp5gvemO5dbGrz0KtnfpkXbosGDWjnv+W/3FEIwD1JxbmsFGcpRTqDx
+SrpvlUY96hqr4ze9MLq5tTD9l+R6SdQ=
+-----END CERTIFICATE-----
diff --git a/certs/tsa-cert.der b/certs/tsa-cert.der