stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
b7fc87893ce74e8df5d0e560bc25dae36fd28da7
git.stella-ops.org/docs/doctor/articles/timestamping/tsa-cert-expiry.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

2.3 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.timestamp.tsa.cert-expiry stellaops.doctor.timestamping warn
timestamping
tsa
certificate
expiry

TSA Certificate Expiry

What It Checks

Checks if TSA signing certificates are approaching expiry. The check:

  • Evaluates each certificate in the TsaCertificates configuration list.
  • Calculates days remaining until expiry.
  • Fails (unhealthy) if any certificate is expired or within the critical threshold (default 90 days).
  • Warns (degraded) if within the warning threshold (default 180 days).
  • Passes if all certificates have sufficient validity remaining.

Why It Matters

An expired TSA signing certificate means new timestamps cannot be validated by relying parties. Evidence signed with an expired certificate may be rejected during compliance audits. Early warning gives operators time to coordinate certificate renewal with the TSA provider before any disruption.

Common Causes

  • TSA provider certificate approaching natural end-of-life
  • Certificate renewal not tracked or scheduled
  • Using a short-lived certificate without automated renewal

How to Fix

Docker Compose

Update the certificate configuration when renewed certificates are obtained from the TSA provider:

environment:
  Timestamping__TsaCertificates__0__Name: "DigiCert TSA"
  Timestamping__TsaCertificates__0__Subject: "CN=DigiCert TSA"
  Timestamping__TsaCertificates__0__ExpiresAt: "2027-01-15T00:00:00Z"

Bare Metal / systemd

Contact the TSA provider to obtain renewed certificates and update the trust configuration:

stella tsa cert update --name "DigiCert TSA" --cert /path/to/new-cert.pem

Kubernetes / Helm

timestamping:
  certificates:
    warnDays: 180
    criticalDays: 90

Update Kubernetes secrets when new certificates are obtained:

kubectl create secret generic tsa-certs --from-file=cert.pem=/path/to/new-cert.pem --dry-run=client -o yaml | kubectl apply -f -

Verification

stella doctor run --check check.timestamp.tsa.cert-expiry

Related Checks

  • check.timestamp.tsa.root-expiry — checks TSA root/trust anchor certificate expiry
  • check.timestamp.tsa.chain-valid — validates TSA certificate chain integrity
  • check.timestamp.tsa.valid-response — verifies TSA returns valid timestamp tokens