---
checkId: check.timestamp.evidence.tst.expiry
plugin: stellaops.doctor.timestamping
severity: warn
tags: [timestamping, evidence, tst, expiry]
---
# TST Approaching Expiry

## What It Checks
Detects timestamp tokens approaching signing certificate expiry. Fails if timestamps are within the critical window (default 90 days), warns if within the warning window (default 180 days).

## Why It Matters
Expired timestamp tokens cannot be validated by relying parties. Artifacts with expired timestamps lose their temporal proof, which may invalidate compliance evidence.

## Common Causes
- TSA signing certificates approaching end-of-life
- Re-timestamp jobs not scheduled or failing

## How to Fix
Run the retimestamp workflow to refresh expiring artifacts:

```bash
stella retimestamp run --expiring-within 180d
```

Schedule automatic re-timestamping before expiry.

## Verification
```
stella doctor run --check check.timestamp.evidence.tst.expiry
```

## Related Checks
- `check.timestamp.evidence.staleness` — aggregated evidence staleness check
- `check.timestamp.tsa.cert-expiry` — checks TSA certificate expiry