List of free rfc3161 servers.

rfc3161.txt

https://rfc3161.ai.moda
https://rfc3161.ai.moda/adobe
https://rfc3161.ai.moda/microsoft
https://rfc3161.ai.moda/apple
https://rfc3161.ai.moda/any
http://rfc3161.ai.moda
http://timestamp.digicert.com
http://timestamp.globalsign.com/tsa/r6advanced1
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.sectigo.com
http://timestamp.apple.com/ts01
http://tsa.mesign.com
http://time.certum.pl
https://freetsa.org
http://tsa.startssl.com/rfc3161
http://dse200.ncipher.com/TSS/HttpTspServer
http://zeitstempel.dfn.de
https://ca.signfiles.com/tsa/get.aspx
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://timestamp.acs.microsoft.com

As of a few days ago, http://timestamp.digicert.com no longer support SHA-512 or SHA-384 hashing algorithm for timestamping.
I'm using signtool.exe version 10.0.19041.685.

Using /td SHA512 or /td SHA384 now fails with http://timestamp.digicert.com but works with http://timestamp.sectigo.com:
Fails:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"

Works:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA512 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA384 /fd SHA512 /tr http://timestamp.sectigo.com "file to sign"

Using /td SHA256 works with http://timestamp.digicert.com:
signtool sign /f certfile.cer /csp "some csp" /k "key secret" /td SHA256 /fd SHA512 /tr http://timestamp.digicert.com "file to sign"

Can someone tell me how I can verify a timestamp from timestamp.acs.microsoft.com .

I have now tried various approaches, but somehow I seem to be missing the right root and intermediate certificates.

openssl ts -query -data "sample" -no_nonce -sha512 -cert -out file.tsq
curl -sH "Content-Type: application/timestamp-query" --data-binary "@file.tsq" http://timestamp.acs.microsoft.com  > ms.tsr
echo
echo "Verify (Not Certs)"
openssl ts -verify -in ms.tsr -queryfile file.tsq

echo
echo "Verify2 (MS Root Cert)"
curl -s http://www.microsoft.com/pkiops/certs/microsoft%20identity%20verification%20root%20certificate%20authority%202020.crt > mivra.crt
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile mivra.crt

echo
echo "Verify3 (Extract Cert)"
openssl ts -reply -in "ms.tsr" -token_out -out "ms.token.tk"
openssl pkcs7 -inform DER -in "ms.token.tk" -print_certs -outform PEM -out "ms.cer"
openssl x509 -inform PEM -in "ms.cer" -out "ms.crt"
openssl ts -verify -in ms.tsr -queryfile file.tsq -CAfile ms.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Verify (Not Certs)
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
4037A577EA7E0000:error:17800064:time stamp routines:ts_verify_cert:
certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get local issuer certificate

Verify2 (MS Root Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Error loading file mivra.crt
Verification: FAILED
40E76D29C1730000:error:05800088:x509 certificate routines:
X509_load_cert_crl_file_ex:no certificate or crl found:../crypto/x509/by_file.c:251:

Verify3 (Extract Cert)
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
40170E69E4720000:error:17800064:time stamp routines:
ts_verify_cert:certificate verify error:../crypto/ts/ts_rsp_verify.c:190:Verify error:unable to get issuer certificate

@TylerDurden2019 Digicert works fine for me with SHA-512 and SHA-384.

openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl --data-binary @- https://rfc3161.ai.moda/digicert -o - -v | openssl ts -reply -text -in /dev/stdin

openssl rand 512 | openssl ts -query -data - -cert -sha384 | curl --data-binary @- https://rfc3161.ai.moda/digicert -o - -v | openssl ts -reply -text -in /dev/stdin

Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.114412.7.1
Hash Algorithm: sha512
Message data:
    0000 - 4a bd d6 6e cf bb fc 97-95 f4 fe 25 07 6a d9 27   J..n.......%.j.'
    0010 - d7 e6 b3 e1 3e ed d4 2b-44 a1 2f f0 44 91 c1 49   ....>..+D./.D..I
    0020 - 22 84 50 f3 98 ba fc 4c-d6 ab df 48 2f 97 f5 36   ".P....L...H/..6
    0030 - 34 5f 18 df 83 f6 6b 6d-fe be 61 c3 b3 3c de 2d   4_....km..a..<.-
Serial number: 0x9CEFF4C18E28407E21D72B318DDEDD66
Time stamp: May 26 14:31:04 2025 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0x775FF9F2CBADC6AC
TSA: unspecified
Extensions:

Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.114412.7.1
Hash Algorithm: sha384
Message data:
    0000 - 9e 2e af 17 b7 c9 3d c7-51 6e 18 4a 5f 1f 0d e0   ......=.Qn.J_...
    0010 - e8 eb b4 bc 4d 28 ac 90-9b bb d8 b0 7c 7b b2 48   ....M(......|{.H
    0020 - 02 fe a0 12 f0 2c b6 39-5f 69 a5 49 97 37 dd ad   .....,.9_i.I.7..
Serial number: 0xFC802032394A2B116538CBAA20EECCB5
Time stamp: May 26 14:32:19 2025 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0xECD603090AAC72F5
TSA: unspecified
Extensions: