What is a Certificate Authority?

On the internet, a certificate is needed in order to verify the identity of people or computers, and to establish secure connections to services to keep people from listening in your connection. All riseup.net services require secure connections and thus use certificates to verify the identity of the server.

For a certificate to be considered valid, it must be blessed by a private corporation who acts as a Certificate Authority. This centralized authority model has troubling social and political ramifications, especially when we rely on it for security. Some day, we hope that alternative, non-heriarchical models will replace this flawed system.

Until then, Riseup has purchased certificates from a commercial certificate authority that is recognized by your web browser, mail client, or chat client. These certificates will work seamlessly without any further action on your part.

However, some riseup.net services, like the RiseupVPN, use certificates that are blessed by our own certificate authority. This page is for people who need to download and install this Riseup Certificate Authority.

Download the Riseup CA certificate

Every CA (certificate authority) has a file that is distributed publicly. This file, called a “CA certificate”, is used by your local program to confirm the identity of servers you connect with.

Download the Riseup CA certificate:

All the possible OpenVPN clients require this file.

Verify the Riseup CA certificate (optional)

This verification process is not required in order to use the Riseup CA certificate. However, without verification, you cannot be certain you have downloaded the correct certificate, and you cannot be certain that your connections are secure.

Be warned: this verification process is difficult, requires an understanding of OpenPGP, and ultimately depends on knowing someone who has trusted riseup.net’s public OpenPGP key.

In brief, the steps are:

  1. download the RiseupCA.pem file (see above).
  2. import Riseup’s public PGP key
  3. verify that the instructions on this page have been signed by Riseup’s PGP key.
  4. calculate the fingerprint of RiseupCA.pem
  5. compare the fingerprint you calculated with the fingerprint listed, and signed, on this page.

import Riseup’s public PGP key

On the command line:

$ gpg --keyserver keys.mayfirst.org --recv-key 139A768E

There is no particular reason that you should trust this key. You can see who has trusted it:

$ gpg --list-sigs 139A768E

verify these instructions

Now that you have imported Riseup’s public key, you can verify that the fingerprints listed on this page are really from riseup.net.

  1. Copy this text:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512
    
    RiseupCA.pem SHA1 Sum: d6b93ab1d0898f845c725550eebe51f281d44096
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)
    
    iQIcBAEBCgAGBQJNMyZmAAoJEDBD4rcTmnaOVdYP/1kZv0AvZ5Q1c5hGy3jo5oat
    008XOERZ0FgEAjtADM1t2u8NaiWooJ4AQPR0vNNgfVoHI5yBJHb/TZuDRiTL6K0Q
    Q2Bwu50t2vUO8+yF+S1uEgpKXGTVtWmZwjvsmPDiafFCXtvrDZ1yySvHwgLdzIA+
    GxM0f+F7Q9qCRe6k3tqKB+DFhalz4Yp/FAtHM+vg9ZBcDlWYh5+l0V4BK+VVn2c0
    UjXrEyik4MeAeJsHw7f3vENUqxDW1eQXrfrtdwcaja4WXL9BxKZJVtaLNGK4QsnD
    7XaP1GzsBkuCaK8y01nd5HD8rHL+WzAKqG/ggnTEe9JxtaxLw0xnFW+2vs5ZRsdD
    0tb/ShiHKkBYGR8Qs3VcBLnkSxJqfSYVftOCdkgr2JIrAJT4YaZu51tLNSY9nE6V
    aYNKHvQGsWNWSkeYaMQMjU8pXzsuvMY58hju3IbGtl+pHYYLppJX0DFZAxEH1eFo
    jPHNM14jDdg3usipa5YgTJ1YRqIKbn3GuBmPFdIRj/xEKYdmgvByL2/S7zxfVLK3
    JE7QnirN1WY/Ixu7SUpxGmzjG0BqQ0qLhG2JFsPt2cWlYy7cZuS/vIrGgX1SDQC9
    qlm8huQIZ3pHTSPq7qv6cAvI/JbqYDucqLPNIPx0fB98uJ7Eu1EnYo+V0F9ZZLYU
    FksVQEBNWJjdflsR0HyN
    =M6xp
    -----END PGP SIGNATURE-----
    
  2. Then run this command:
    gpg --verify
  3. Paste the text you copied
  4. Type control-d
  5. You should get output that says:
    gpg: Good signature from "Riseup Networks <collective@riseup.net>"

You should make sure that it says “Good signature” in the output! If this text has been altered, then this information should not be trusted.

Unless you have taken explicit steps to build a trust path to the Riseup Collective key, you will see a warning message similar to:

  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.

However, you still should see the “Good signature”.

calculate the fingerprint of RiseupCA.pem

Open a terminal and use sha1sum:

$ sha1sum RiseupCA.pem

compare the fingerprints

Now that you have calculated the fingerprint or sha1sum of RiseupCA.pem, you can compare this value to the value signed by Riseup and listed on this page.

If the values match, and you trust the Riseup public PGP key, then you can be confident you are really communicating with riseup.net servers when using an application that uses RiseupCA.pem.