Prove it existed, and keep it valid long after the certificate expires

Get access to C2PA-compliant TSA Talk to an expert

What is a Time Stamping Authority?

SSL.com’s Time Stamping Authority (TSA) issues RFC 3161-compliant trusted timestamps that cryptographically bind your C2PA manifest to a verifiable point in time. A timestamp is what lets a C2PA claim signature stay valid indefinitely, even after the signing certificate has expired or been revoked. Purpose-built for C2PA, with dedicated RSA and ECC endpoints backed by SSL.com’s WebTrust-audited CA infrastructure.

How a trusted timestamp keeps your manifest valid

The client never sends your content. Only a hash (message imprint) is transmitted, so the TSA never sees your data. Following RFC 3161, your client submits a TimeStampReq and the TSA returns a signed TimeStampToken that can be verified and audited at any future date.
Your C2PA claim signature
  1. Hash COSE ToBeSigned value (CounterSignature context)
  2. Request RFC 3161 TimeStampReq → SSL.com TSA (RSA or ECC)
  3. Sign TSA binds hash to trusted time, HSM-signed TimeStampToken
  4. Embed token added as COSE_Sign1 countersignature
  5. Validate verifiable indefinitely, even after cert expiry

Available TSA endpoints

EndpointAlgorithmDescription
http://ts-c2pa.ssl.com/rsaRSAC2PA-compliant RFC 3161 Time Stamping Authority API with RSA
http://ts-c2pa.ssl.com/eccECCC2PA-compliant RFC 3161 Time Stamping Authority API with ECC

Who is it for?

C2PA claim generators & platforms

Embed trusted timestamps so Content Credentials survive certificate expiry.

Camera & device manufacturers

Attach proof-of-existence at capture, or shortly after for offline capture.

AI media platforms

Timestamp generated content to keep provenance manifests durable.

C2PA conformant products

Obtain trusted timestamps for long-term manifest validation.

Request C2PA TSA access

Contact our content authenticity team to set up access to SSL.com’s C2PA-compliant Time Stamping Authority. We’ll confirm your use case, endpoint needs (RSA or ECC), and volume so you can start embedding trusted timestamps in your C2PA manifests.

Why SSL.com

RFC 3161 compliant

SSL.com operates an RFC 3161 Time Stamping Authority conforming to the IETF X.509 Time-Stamp Protocol, with C2PA countersignature support (RFC 5816, COSE).

Trusted, audited time source

Time is drawn from a trusted, audited source and signed with keys held in HSMs under SSL.com’s audited operations.

Purpose-built for C2PA

Dedicated RSA and ECC endpoints meet the C2PA countersignature requirements, so timestamps drop straight into your manifest as a COSE countersignature.

WebTrust audited (BDO)

Annual BDO audits cover CA operations, Baseline Requirements SSL, and Network Security: the standard CA trust anchor expected by enterprise procurement, legal teams, and editorial integrity programs.

In operation since 2002

Over two decades of continuous public CA operations since 2002: proven infrastructure serving enterprises, governments, and content publishers through every major trust evolution.

Frequently asked questions

Without a trusted timestamp, a manifest stops being valid as soon as the signing certificate expires or is revoked. A timestamp lets a validator confirm the claim was signed while the credential was valid, so the manifest can be validated indefinitely.

It is a special C2PA manifest that provides proof-of-existence for an asset and its manifest at a trusted time. It is most often used when an earlier generator signed offline and could not obtain a timestamp at signing time.

No. Only a hash (message imprint) is sent to the TSA. The actual content never leaves your environment.

Match the endpoint to your C2PA signing workflow and the algorithms your validators expect. Both are C2PA-compliant; ECC produces smaller tokens, RSA offers the broadest compatibility.

The C2PA platform free tier includes 10,000 timestamps per year, with on-demand pricing for additional volume. Premium customers can buy at a reduced bulk rate.

Start authenticating your content today

Talk to a content authenticity expert about C2PA Content Credentials, trusted timestamping, and long-term validation.
Talk to a content authenticity expert

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance