--- checkId: check.timestamp.tsa.cert-expiry plugin: stellaops.doctor.timestamping severity: warn tags: [timestamping, tsa, certificate, expiry] --- # TSA Certificate Expiry ## What It Checks Checks if TSA signing certificates are approaching expiry. The check: - Evaluates each certificate in the `TsaCertificates` configuration list. - Calculates days remaining until expiry. - **Fails** (unhealthy) if any certificate is expired or within the critical threshold (default 90 days). - **Warns** (degraded) if within the warning threshold (default 180 days). - Passes if all certificates have sufficient validity remaining. ## Why It Matters An expired TSA signing certificate means new timestamps cannot be validated by relying parties. Evidence signed with an expired certificate may be rejected during compliance audits. Early warning gives operators time to coordinate certificate renewal with the TSA provider before any disruption. ## Common Causes - TSA provider certificate approaching natural end-of-life - Certificate renewal not tracked or scheduled - Using a short-lived certificate without automated renewal ## How to Fix ### Docker Compose Update the certificate configuration when renewed certificates are obtained from the TSA provider: ```yaml environment: Timestamping__TsaCertificates__0__Name: "DigiCert TSA" Timestamping__TsaCertificates__0__Subject: "CN=DigiCert TSA" Timestamping__TsaCertificates__0__ExpiresAt: "2027-01-15T00:00:00Z" ``` ### Bare Metal / systemd Contact the TSA provider to obtain renewed certificates and update the trust configuration: ```bash stella tsa cert update --name "DigiCert TSA" --cert /path/to/new-cert.pem ``` ### Kubernetes / Helm ```yaml timestamping: certificates: warnDays: 180 criticalDays: 90 ``` Update Kubernetes secrets when new certificates are obtained: ```bash kubectl create secret generic tsa-certs --from-file=cert.pem=/path/to/new-cert.pem --dry-run=client -o yaml | kubectl apply -f - ``` ## Verification ``` stella doctor run --check check.timestamp.tsa.cert-expiry ``` ## Related Checks - `check.timestamp.tsa.root-expiry` — checks TSA root/trust anchor certificate expiry - `check.timestamp.tsa.chain-valid` — validates TSA certificate chain integrity - `check.timestamp.tsa.valid-response` — verifies TSA returns valid timestamp tokens