There are many causes of this issue including, but not limited to:
- extendedKeyUsage values were not added to the certificate.cnf prior to the certificate signing request being created.
- The TSA template was not used within Windows when signing the certificate.csr
- When signing using OpenSSL, additional information required was not present in the certificate.cnf
The first thing to check is to ensure that the tsa_ext section of the certificate configuration file, including the extendedKeyUsage field values, are set correctly within the certificate configuration file (certificate.cnf):
[ tsa_ext ] extendedKeyUsage = critical,timeStamping
When using Windows Server to sign the certificate signing request (certificate.csr) the correct template is not used during the signing.
Please use the TSA Certificate Template when signing the certificate request, the following command can be used on the Windows Server to sign the certificate correctly:
certreq -submit -attrib "CertificateTemplate:TSA" "C:\Path\To\Timestamp.csr"
When signing using OpenSSL, please ensure the following command is used to the TSA extension is added to the certificate:
openssl ca -config /path/to/certificate.cnf -in /path/to/certificate.csr -out tsa.crt -extensions tsa_ext -days 365