Skip to content

SafeNet TSA

Time-Stamping Authority server

SafeNet TSA is a Time-Stamping Authority server. Like a postmark for digital data, each timestamp asserts: "This content existed — byte for byte — at this exact moment," signed by an independent, trusted third party.

Book a consultation All products
The problem

Without timestamps, a party can claim a document was "signed late" or "altered"; records are hard to prove against back-dating; intellectual-property disputes over "who was first" arise; logs can be edited after an incident; and expiring certificates strip the legal value of long-term archives.

Features & capabilities

Works in milliseconds

  • Receives only the document "fingerprint" (hash) — the original never leaves your machine
  • Continuously synced with an international time source
  • Seals "fingerprint + time" with a key inside an HSM
  • Returns a compact proof, independently verifiable anytime

Standards compliance

  • QCVN 138:2025/BKHCN (issued under Circular 51/2025/TT-BKHCN)
  • International RFC 3161 and RFC 5816
  • Verifiable with OpenSSL, Adobe and PKI libraries

Highest-grade security

  • Signing key in an HSM certified FIPS 140-2/140-3 Level 3 or EN 419221-5
  • Keys never appear in readable form
  • Automatically refuses to stamp if the clock drifts beyond threshold

Performance & operations

  • Written in Rust — memory-safe, hundreds of requests/sec at low latency
  • Docker-packaged, runs a trial in minutes
  • Tamper-proof append-only audit log
  • Web console for system status, time source, certificate and logs

Use cases

Trust-service providers

Operate a timestamping service compliant with QCVN 138:2025.

Enterprises, banks, government

In-house timestamping for contracts, records and archives.

Software vendors

Integrate RFC 3161 timestamping into your products.

Security operations

Seal logs and produce digital evidence for investigations.

Standards & compliance

QCVN 138:2025/BKHCN RFC 3161 RFC 5816 FIPS 140-2/3 Level 3

Frequently asked questions

Is my document content exposed? +

No. sn-tsa only receives the "fingerprint" (hash), never the original. Content cannot be reconstructed from the hash.

What if the server clock is wrong? +

The system continuously measures clock drift; if it exceeds the threshold, it stops issuing stamps rather than issue a wrong one — safety first.

How is this different from a digital signature? +

A signature answers "who signed". A timestamp answers "when" and "what the content was at that time". They complement each other.

Interested in SafeNet TSA?

Book a free consultation with a SafeNet expert for a demo and a fit assessment for your organization.

Book a consultation Explore other products