6.9.3. Procedure – Generating TSA certificate with Windows Certificate Authority on Windows Server 2008

To generate a TSA certificate with Windows Certificate Authority (CA) that works with PSM, generate a CSR (certificate signing request) on a computer running OpenSSL and sign it with Windows CA, then import this certificate into PSM for timestamping.


A valid configuration file for OpenSSL with the following extensions:

[ tsa_cert ]
extendedKeyUsage = critical,timeStamping

You can copy /etc/xcb/openssl-ca.cnf from PSM to the computer that will be used for signing. Rename the file to openssl-temp.cnf.

The TSA certificate is considered valid, in terms of compatibility with PSM, if the following conditions are met:

  • Must be a valid CA certificate (CA is true).

  • Key Usage: Time Stamping is required. No other key usage is permitted.

  • Extended Key Usage: Must be set to critical.

  • Optional Key Usage: If Key Usage is present, it must be digitalSignature and/or nonRepudiation. Other values are not permitted. Make sure that in Encryption, Allow key exchange without key encryption (key agreement) is selected.


    In Encryption, do NOT select Allow key exchange only with key encryption (key encipherment), because it will result in errors.

The following X509v3 extensions are supported:

  • Hard requirement:

    X509v3 Extended Key Usage must be critical, and must only contain Time Stamping.

  • Optional:

    X509v3 Key Usage, if present, must be digitalSignature and/or nonRepudiation.


  1. Create CSR using the new configuration file: openssl req -set_serial 0 -config openssl-temp.cnf -reqexts tsa_cert -new -newkey rsa:2048 -keyout timestamp.key -out timestamp.csr -nodes

  2. Complete the required fields according to your environment:

    Generating a 2048 bit RSA private key
    writing new private key to 'timestamp.key'
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]:HU
    State or Province Name (full name) []:Budapest
    Locality Name (eg, city) []:Budapest
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:BalaBit IT Security
    Organizational Unit Name (eg, section) []:Service Delivery
    Common Name (eg, YOUR name) []:scb35-1-i1.tohuvabohu.balabit
    Email Address []:[email protected]
  3. Sign the generated CSR with your Windows CA. Make sure that the CSR file is accessible from your Windows CA server.

    1. To issue and sign the new certificate request, open the Microsoft Certification Authority Management Console: Start > Run and run certsrv.msc.

    2. Right-click on the server name and navigate to All Tasks > Submit new request....

      Figure 6.29. Submitting a new request

      Submitting a new request
    3. Select the CSR created in the second step.

    4. On the left pane, click Pending Requests. The new certificate request is displayed in the right pane.

      Figure 6.30. Issuing a new certificate

      Issuing a new certificate
    5. To issue the new SSL certificate, right-click on the pending certificate request, select “All Tasks” and click on “Issue”.

    6. Select "Issued Certificates" and double-click on the certificate issued in the previous step.

    7. The CA Certificate window opens. Navigate to the Details tab. Ensure that the required Enhanced Key Usage field is visible and contains the Time Stamping value.

      Figure 6.31. Verifying certificate details

      Verifying certificate details
    8. Click Copy to File. The Certificate Export Wizard launches. Click Next.

    9. Select the format of the certificate: Base-64 encoded X.509 (.CER). Click Next.

      Figure 6.32. Selecting certificate file format

      Selecting certificate file format
    10. Select location to save the certificate, and save it.

    11. The Completing the Certificate Export Wizard screen is displayed. Click Finish.

  4. In PSM, navigate to Basic Settings > Management > SSL certificate.

  5. Click next to TSA X.509 certificate, browse for the previously generated certificate, and click Upload.

  6. Click next to TSA private key, browse for the previously generated key, and click Upload.


    If the root CA (the CA X.509 certificate field under Basic Settings > Management > SSL certificate) that is used for other certificates on PSM is different from the CA that was used to sign the TSA certificate, a warning is displayed. In this scenario, ignore this warning.