Riseup Certificate Authority

Riseup.net's Certificate Authority

What is a Certificate Authority?

On the internet, a certificate is needed in order to verify the identity of people or computers, and to establish secure connections to services to keep people from listening in your connection. All riseup.net services require secure connections and thus use certificates to verify the identity of the server.

For a certificate to be considered valid, it must be blessed by a private corporation who acts as a Certificate Authority. This centralized authority model has troubling social and political ramifications, especially when we rely on it for security. Some day, we hope that alternative, non-heriarchical models will replace this flawed system.

Until then, Riseup has purchased certificates from a commercial certificate authority that is recognized by your web browser, mail client, or chat client. These certificates will work seamlessly without any further action on your part.

However, some riseup.net services, like the RiseupVPN, use certificates that are blessed by our own certificate authority. This page is for people who need to download and install this Riseup Certificate Authority.

Download the Riseup CA certificate

Every CA (certificate authority) has a file that is distributed publicly. This file, called a “CA certificate”, is used by your local program to confirm the identity of servers you connect with.

Download the Riseup CA certificate:

All the possible OpenVPN clients require this file.

Verify the Riseup CA certificate (optional)

This verification process is not required in order to use the Riseup CA certificate. However, without verification, you cannot be certain you have downloaded the correct certificate, and you cannot be certain that your connections are secure.

Be warned: this verification process is difficult, requires an understanding of OpenPGP, and ultimately depends on knowing someone who has trusted riseup.net’s public OpenPGP key.

In brief, the steps are:

  1. download the RiseupCA.pem file (see above).
  2. import Riseup’s public PGP key
  3. verify that the instructions on this page have been signed by Riseup’s PGP key.
  4. calculate the fingerprint of RiseupCA.pem
  5. compare the fingerprint you calculated with the fingerprint listed, and signed, on this page.

import Riseup’s public PGP key

On the command line:

$ gpg --keyserver keys.mayfirst.org --recv-key 139A768E

There is no particular reason that you should trust this key. You can see who has trusted it:

$ gpg --list-sigs 139A768E

verify these instructions

Now that you have imported Riseup’s public key, you can verify that the fingerprints listed on this page are really from riseup.net.

  1. Copy this text:
    Hash: SHA512
    RiseupCA.pem SHA1 Sum: d6b93ab1d0898f845c725550eebe51f281d44096
    Version: GnuPG v1.4.10 (GNU/Linux)
    -----END PGP SIGNATURE-----
  2. Then run this command:
    gpg --verify
  3. Paste the text you copied
  4. Type control-d
  5. You should get output that says:
    gpg: Good signature from "Riseup Networks <collective@riseup.net>"

You should make sure that it says “Good signature” in the output! If this text has been altered, then this information should not be trusted.

Unless you have taken explicit steps to build a trust path to the Riseup Collective key, you will see a warning message similar to:

  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.

However, you still should see the “Good signature”.

calculate the fingerprint of RiseupCA.pem

Open a terminal and use sha1sum:

$ sha1sum RiseupCA.pem

compare the fingerprints

Now that you have calculated the fingerprint or sha1sum of RiseupCA.pem, you can compare this value to the value signed by Riseup and listed on this page.

If the values match, and you trust the Riseup public PGP key, then you can be confident you are really communicating with riseup.net servers when using an application that uses RiseupCA.pem.