1. About us
  2. Services
  3. Help
  4. Howtos
  5. Friends
  6. Donate
  7. ||
  8. it
  9. en
  10. es
  11. de
  12. fr
  13. pt
  14. cat
My Account Login

How to verify the authenticity of our Certification Authority's certificate

If you're using Windows and don't know how to do this, click here.

Before importing our certificate once you've downloaded it, you should verify that the certificate you downloaded is really valid. This ensures that you won't trust a certificate that may have been served to you from someone acting as a Man-In-The-Middle between you and our server (for example, any government agency wanting to snoop your communications).

We have signed our CA certificate with our PGP key, so that you can verify that it is indeed the right certificate.
You must have a copy of GnuPG installed, which can be obtained from www.gnupg.org, in the Binary Releases section.

The rest of this page assumes that you've already downloaded the CA certificate to a file named ca.crt.

Verify CA authenticity with PGP

First of all, you should obtain the current PGP key for info@autistici.org:

$ gpg --keyserver x-hkp://pool.sks-keyservers.net --recv E30D5650109E53532104B879DA733D59D98DA9CE

(or, alternatively, it can be downloaded from here).

You should manage to establish trust with this key using GPG's mechanisms, which we won't discuss here (plenty of documentation is already available online on this subject).

Once you trust the PGP key for info@autistici.org, you can download the signature for the CA certificate file here:


You can finally verify that the certificate you downloaded matches the signature with this command:

  gpg --verify ca.crt.sig ca.crt

If you get this warning:

  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.

The reason is related to the trust you have not set on our key, you can ignore this warning, or read more in the gpg manual: (https://www.gnupg.org/gph/en/manual.html#AEN346)

Verify A/I's CA on Windows

In order to verify Autistici/Inventati's CA on Windows, the first thing you need to do is install GPG4Win, which you can download here.
Once you have installed GPG4Win, open the command prompt. This procedure varies according to the version of Windows you are using, but often you just need to click the Start button and to type cmd in the search box.
cmd win
Using the command prompt, download info@autistici.org's GPG key with the command:

gpg --keyserver x-hkp://pool.sks-keyservers.net --recv E30D5650109E53532104B879DA733D59D98DA9CE

scarica chiave
Check the fingerprint of the key with the command:
gpg --fingerprint D98DA9CE
You should get this output:
pub   4096R/D98DA9CE 2012-12-13 [scadenza: 2017-12-12]
Impronta digitale della chiave = E30D 5650 109E 5353 2104  B879 DA73 3D59 D98D A9CE
uid Autistici / Inventati Staff (www.autistici.org / www.inventati.org) 
sub   4096R/8FFE61D6 2012-12-13 [scadenza: 2017-12-12]
sub   2048R/CBE90CAD 2013-06-05
If the fingerprint matches, you can verify the CA.
verifica fingerprint
Assuming that you have downloaded both the certificate (ca.crt) and the signature (ca.crt.sig) in the Downloads folder, type this command:
cd Downloads
Now you are inside the directory where you saved the certificate and the signature and you can verify the integrity of the certificate by typing:
gpg --verify ca.crt.sig ca.crt
If the output contains the phrase "Good Signature", and if you don't see any errors, you have the right certificate and can install it.
verifica fingerprint
Don't worry if you see this warning:
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.

You are receiving it because you haven't set trust on our key. You can ignore it, or read more in the gpg manual: (https://www.gnupg.org/gph/en/manual.html#AEN346)

Certificate fingerprints

Fingerprint verification of the certificates presented by individual services isn't particularly safe if it is the only source of trust (also, you're probably reading this page over http or untrusted https). Also, note that service certificates change often and without warning.

However, we provide a page that lists all the fingerprints anyway, should you want to verify them.