Verification


Obtaining and verifying the CA certificate

The CNX TSA CA certificate is the trust anchor for all token verification. Its SHA-256 fingerprint is published as a DNSSEC-signed TXT record — query it to get the authoritative fingerprint, then verify any copy of the certificate against it.

# Step 1 — get the DNSSEC-proven fingerprint
dig +dnssec TXT _tsaca.cnx.net.kh

# Step 2 — get the certificate (from any source)
curl -s https://tsa.cnx.net.kh/ca.crt -o cnx-tsa-ca.crt

# Step 3 — verify the certificate matches the DNS fingerprint
openssl x509 -in cnx-tsa-ca.crt -noout -fingerprint -sha256
# Output must match the sha256: value from step 1

If the fingerprints match, the certificate is genuine regardless of where it was obtained. DNSSEC, secured by CNX’s HSM-backed signing infrastructure, proves the fingerprint is authentic.

Once verified, install the certificate for use in verification commands:

# Keep isolated to TSA verification (recommended)
openssl ts -verify -data file -in file.tsr -CAfile cnx-tsa-ca.crt

# Or install system-wide (Linux)
sudo cp cnx-tsa-ca.crt /usr/local/share/ca-certificates/ && sudo update-ca-certificates
What verification proves

Verification answers three questions simultaneously:

  1. Authenticity — did this token come from CNX? (signature check against CNX TSA certificate)
  2. Integrity — does this token match this specific data? (hash comparison)
  3. Time — when did CNX witness this data? (read genTime from the token)

All three must pass. A token that fails any one of them is either forged, mismatched, or the data has been modified since timestamping.

Verify a token
openssl ts -verify -data original_record.json -in token.tsr -CAfile cnx-tsa-ca.crt
# Verification: OK

Read the attested timestamp:

openssl ts -reply -in token.tsr -text | grep "Time stamp"
# Time stamp: Jun 27 10:30:00.000 2026 GMT
Batch verification

Verify all records in a directory against their tokens. Run on a schedule to confirm no records have been modified since timestamping:

for f in records/*.json; do
  openssl ts -verify -data "$f" -in "${f%.json}.tsr" \
    -CAfile cnx-tsa-ca.crt 2>/dev/null || echo "FAILED: $f"
done
Presenting tokens to auditors

For a regulatory examination or external audit, provide:

  1. The original record — in exactly the form used to generate the hash
  2. The .tsr token file for that record
  3. The CNX TSA CA certificate (cnx-tsa-ca.crt)
  4. The verification command above

An auditor with OpenSSL installed can independently verify the token without any CNX involvement — the verification is purely cryptographic. CNX does not need to be contacted, online, or cooperative. The signed token is self-contained evidence.