How to verify the authenticity of our Certification Authority's certificate
Before importing our certificate once you've downloaded it, you should verify that the certificate you downloaded is really valid. This ensures that you won't trust a certificate that may have been served to you from someone acting as a Man-In-The-Middle between you and our server (for example, any government agency wanting to snoop your communications).
We have signed our CA certificate with our PGP key, so that you can verify that it is indeed the right certificate.
The rest of this page assumes that you've already downloaded the CA certificate to a file named ca.crt.
Verify CA authenticity with PGP
First of all, you should obtain the current PGP key for firstname.lastname@example.org:
$ gpg --recv E30D5650109E53532104B879DA733D59D98DA9CE
(or, alternatively, it can be downloaded from here).
You should manage to establish trust with this key using GPG's mechanisms, which we won't discuss here (plenty of documentation is already available online on this subject).
Once you trust the PGP key for email@example.com, you can download the signature for the CA certificate file here:
You can finally verify that the certificate you downloaded matches the signature with this command:
gpg --verify ca.crt.sig ca.crt
If you get this warning:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
The reason is related to the trust you have not set on our key, you can ignore this warning, or read more in the gpg manual: (https://www.gnupg.org/gph/en/manual.html#AEN346)