diff --git a/go.mod b/go.mod
index 97124dd..90c0da1 100644
--- a/go.mod
+++ b/go.mod
@@ -2,4 +2,4 @@ module github.com/wja-id/pkcs7
 
 go 1.11
 
-require golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e // indirect
+require golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e
diff --git a/go.sum b/go.sum
index fdd972f..3c57716 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,3 @@
-github.com/wja-id/globalsign-sdk v0.0.0-20201216095649-1d80c2fe9367 h1:eA5o6oaV/Mw+cISBLVbC8gEP78DGRJfUrPtlr82ofVY=
-github.com/wja-id/globalsign-sdk v0.0.0-20201216095649-1d80c2fe9367/go.mod h1:UjFOzSB3clBO1R7ulqrE2Bw3U2w3nC/WhV1nnRSIZDg=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
diff --git a/sign.go b/sign.go
index 496e2b2..010dbad 100644
--- a/sign.go
+++ b/sign.go
@@ -9,11 +9,14 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"log"
 	"math/big"
 	"net/http"
+	"time"
 )
 
 // SignedData is an opaque data structure for creating signed data payloads
@@ -204,6 +207,8 @@ func (sd *SignedData) addSignerChain(ee *x509.Certificate, pkey crypto.PrivateKe
 	h.Write(sd.data)
 	sd.messageDigest = h.Sum(nil)
 
+	log.Println("message digest:", hex.EncodeToString(sd.messageDigest))
+
 	encryptionOid, err := getOIDForEncryptionAlgorithm(pkey, sd.digestOid)
 	if err != nil {
 		return err
@@ -211,10 +216,10 @@ func (sd *SignedData) addSignerChain(ee *x509.Certificate, pkey crypto.PrivateKe
 	attrs := &attributes{}
 	attrs.Add(OIDAttributeContentType, sd.sd.ContentInfo.ContentType)
 	attrs.Add(OIDAttributeMessageDigest, sd.messageDigest)
-	// attrs.Add(OIDAttributeSigningTime, time.Now())
+	attrs.Add(OIDAttributeSigningTime, time.Now())
 
 	// add id-aa-signing-certificate-v2
-	if b, err := populateSigningCertificateV2(ee); err == nil {
+	if b, err := populateSigningCertificateV2Ext(ee); err == nil {
 		attrs.Add(OIDAttributeSigningCertificateV2, asn1.RawValue{FullBytes: b})
 	}
 
@@ -370,7 +375,7 @@ func (sd *SignedData) RequestSignerTimestampToken(signerID int, callback Timesta
 		return fmt.Errorf("no callback defined")
 	}
 
-	tst, err := callback(sd.messageDigest)
+	tst, err := callback(sd.sd.SignerInfos[signerID].EncryptedDigest)
 	if err != nil {
 		return err
 	}
@@ -616,28 +621,24 @@ func DegenerateCertificate(cert []byte) ([]byte, error) {
 	return asn1.Marshal(signedContent)
 }
 
-func populateSigningCertificateV2(ee *x509.Certificate) ([]byte, error) {
-	// encode certificate
+func populateSigningCertificateV2Ext(certificate *x509.Certificate) ([]byte, error) {
 	h := sha256.New()
-	_, err := h.Write(ee.Raw)
-	if err != nil {
-		return nil, err
-	}
-
-	hashAlg := pkix.AlgorithmIdentifier{
-		Algorithm:  OIDDigestAlgorithmSHA256,
-		Parameters: asn1.NullRawValue,
-	}
+	h.Write(certificate.Raw)
 
 	signingCertificateV2 := signingCertificateV2{
-		Certs: []essCertIDv2{{
-			HashAlgorithm: hashAlg,
-			CertHash:      h.Sum(nil),
-			// IssuerSerial: issuerAndSerial{
-			// 	IssuerName:   asn1.RawValue{FullBytes: ee.RawIssuer},
-			// 	SerialNumber: ee.SerialNumber,
-			// },
-		}},
+		Certs: []essCertIDv2{
+			{
+				HashAlgorithm: pkix.AlgorithmIdentifier{
+					Algorithm:  asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1},
+					Parameters: asn1.NullRawValue,
+				},
+				CertHash: h.Sum(nil),
+				IssuerSerial: issuerAndSerial{
+					IssuerName:   asn1.RawValue{FullBytes: certificate.RawIssuer},
+					SerialNumber: certificate.SerialNumber,
+				},
+			},
+		},
 	}
 	signingCertV2Bytes, err := asn1.Marshal(signingCertificateV2)
 	if err != nil {