--- checkId: check.timestamp.tsa.chain-valid plugin: stellaops.doctor.timestamping severity: fail tags: [timestamping, tsa, certificate, chain, validation] --- # TSA Certificate Chain Validity ## What It Checks Ensures TSA certificate chains are valid and complete. The check: - Queries the certificate chain status provider for all configured TSA chains. - Validates that each chain is complete (leaf to root) and has no errors. - Fails if all chains are invalid. Warns if some chains are invalid. - Reports degraded if no chain data is available (provider not configured). ## Why It Matters An incomplete or broken certificate chain means TSA timestamps cannot be verified end-to-end. Relying parties will reject evidence with unverifiable chains, causing compliance audit failures and blocking release promotions. This is a critical-severity check. ## Common Causes - Missing intermediate certificates - Intermediate certificate expired - Trust store not updated after CA changes - Misconfigured certificate chain ordering ## How to Fix ### Docker Compose ```bash # Verify chain manually openssl verify -CAfile /certs/root.pem -untrusted /certs/intermediate.pem /certs/tsa-leaf.pem # Update chain configuration docker exec stella tsa chain update --name "Provider" \ --cert /certs/tsa-leaf.pem --intermediate /certs/intermediate.pem ``` ### Bare Metal / systemd ```bash stella tsa chain validate --all stella tsa chain update --name "Provider" \ --cert /path/to/leaf.pem --intermediate /path/to/intermediate.pem ``` ### Kubernetes / Helm ```yaml timestamping: chainValidation: enabled: true ``` Update certificate chain secrets: ```bash kubectl create secret generic tsa-chain \ --from-file=leaf.pem --from-file=intermediate.pem --from-file=root.pem ``` ## Verification ``` stella doctor run --check check.timestamp.tsa.chain-valid ``` ## Related Checks - `check.timestamp.tsa.cert-expiry` — checks TSA signing certificate expiry - `check.timestamp.tsa.root-expiry` — checks TSA root certificate expiry