Put simply, a timestamp records when a signature was created. Because all code signing certificates expire it is important for any software verifying a digital signature to know if the signature was created before or after the certificate expires. If you use a timestamp your signatures never expire, even when your certificate does.
kSign automatically timestamps when it signs but other code signing utilities like Microsoft's signtool.exe need to be passed a URL for a timestamp server. Sectigo offers a timestamp server for free for any certificate holder, the URL is http://timestamp.comodoca.com/authenticode for SHA1 timestamps and http://timestamp.comodoca.com/?td=sha256 for a SHA256 timestamp.
For Java, use the RFC 3161 http://timestamp.comodoca.com/rfc3161
**PLEASE NOTE: As of May 30th 2020, SHA1 timestamping is effectively deprecated as the SHA1 roots have expired. Use only the SHA256 timestamp server from now on - http://timestamp.comodoca.com/?td=sha256.