1. About us
  2. Services
  3. Help
  4. Howtos
  5. Friends
  6. Donate
  7. ||
  8. it
  9. en
  10. es
  11. de
  12. fr
  13. pt
  14. cat
My Account Login

How to verify the validity of our Certification Authority's certificate

Before importing our certificate once you've downloaded it, you should verify that the certificate you downloaded is really valid. This ensures that you won't trust a certificate that may have been served to you from someone acting as a Man-In-The-Middle between you and our server (for example, any government agency wanting to snoop your communications).

There are a couple of options for verification:


We now have a cryptographically sound method to assure the validity of the certificate you downloaded. This uses the DNSSEC protocol and the DANE extension. You will obtain the SHA256 fingerprint of our certificate via DNSSEC, which validates any query and ensures any response is not rogue.

DNSSEC relies on a trusted local resolver to enforce signature verification on the replies. Have a look at the DNSSEC page for instructions on how to set up one. For now, we'll assume that the trusted resolver is running on localhost.

Verify the certificate under Linux/Mac OS X

To perform the validation under Linux you will need openssl and dig utilities, tipically found in the packages openssl and dnsutils; under OS X those utilities are pre-installed.

Once you've downloaded our CA certificate, open a terminal and get the fingerprint of the certificate you downloaded by typing the following:

 openssl x509 -in ~/Downloads/ca.crt -fingerprint -sha256 -noout | \
         cut -d= -f2 | tr -d :

where you should substitute ~/Downloads/ca.crt with the path of the CA certificate you just downloaded. Now just perform a DNSSEC query to obtain the SHA256 fingerprint of the certificate from an independent, verified source. If you have a fairly recent version of the dig program - at least 9.8.3, you need to run the following command:

 dig +short +dnssec tlsa _443._tcp.autistici.org @ | awk '/^0/ {print $4 $5}'

On older versions of dig, use this command instead:

 dig +short +dnssec type52 _443._tcp.autistici.org @ | \
         awk '$2==35 {print $3, $4}' | cut -c7- | tr -d ' '

If the output of the two commands (openssl and dig) coincide, the certificate you downloaded is valid, and you can proceed to install it.

Verify the certificate under windows

First of all, you need to install Win32Openssl, a suite of free software tools for managing certificates and dig, an open source tool that allows you to perform dns queries.

Once you've installed the software, open a command line prompt and type the following, from the bin directory of your openssl installation:

  openssl.exe x509 -in C:\ca.crt -fingerprint -sha256 -noout

where you should substitute C:\ca.crt with the path of the certificate you downloaded. Save the output of the command. Then perform the DNSSEC query using the dig command (again, type this in a terminal from the location where you installed dig):

  dig.exe +short +dnssec tlsa _443._tcp.autistici.org @

The output of the command will look like this:

2 0 1 0620D0EA76805CACE2D7B8A8C1DEEBA67332D252A4F3F71165FD83B6 9DADDBD5
TLSA 7 4 9600 20130805044630 20130706044630 24242 autistici.org. ...

Get the fourth and the fifth column of the first line of output and join them toghether (in the example, 0620D0EA76805CACE2D7B8A8C1DEEBA67332D252A4F3F71165FD83B69DADDBD5). This sequence should be equal to the output of the preceding command once you eliminate the colons from it. If this is the case, you've downloaded a valid certificate and you can proceed to install it.


Another alternative is to verify the CA certificate directly using PGP. If somehow you manage to establish trust with the PGP key for info@autistici.org, you can download the signature for the CA certificate file (ca.crt) here:


To verify it using gpg:

  gpg --verify ca.crt.sig ca.crt

If you get this warning:

  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.

The reason is related to the trust you have not set on our key, you can ignore this warning, or read more in the gpg manual: (https://www.gnupg.org/gph/en/manual.html#AEN346)

Translate this page