To avoid, that members are greeted by a warning of the used web browser, that the CA certificate is not trusted - contradicting the name of the service - all server certificates are issued by TERENA's SSL CA. Below we provide the information of the CA certificates, fingerprint information and references to revocation lists and OCSP responder.

The Trusted Introducer service operates a private certification authority to supply members of TI accredited and certified teams with X.509 user certificates. These are instrumental to restrict the access for members-only systems like mailing lists or this web server. The user private keys and certificates are created and send to the team representatives for secure distribution including the initial pass phrase protecting the private key GPG/PGP encrypted.

In November 2013 a new, streamlined certification authority was set up with a single new root certificate protected by a FIPS 140-3 HSM hardware module. The new CA will completely replace the old CA at the end of March 2014. Until than both CA's are active and all services are available for users with client certificates of either one.

As GPG/PGP is used for some protection mechanisms - signing CSV files or sending requests to the RIPE NCC for the IRT objects - information about the TI Master Signing key is included here as well to be complete, also it is technically a different solution independent from the standardized X.509 mechanisms used in traditionally PKI settings.

Private TI PKI

CA-Certificates

Here are the links to the certificates of the old Trusted Introducer (TI) certification authority:

  • X.509 Root/Top Level Certification Authority, Generation G1
    • Fingerprint SHA1: EA:A7:20:A6:9A:F4:4A:73:25:42:26:6C:3F:BC:E9:09:45:3B:46:74
    • Certificate as DER file and as plain PEM file
  • X.509 Server Certification Authority, Generation G1.1
    • Fingerprint SHA1: 36:1F:59:53:4B:B9:80:29:24:1C:63:B1:70:EA:12:2A:A9:CE:30:CD
    • Certificate as DER file and as plain PEM file
  • X.509 Client Certification Authority, Generation G.1.1
    • Fingerprint SHA1: 87:30:E6:B0:3D:7D:99:F3:5B:36:95:33:37:55:31:81:E2:EB:5B:50
    • Certificate as DER file and as plain PEM file

Here are the links to the certificates of the new, streamlined Trusted Introducer (TI) certification authority:

  • X.509 Trusted Introducer (TI) Client Certification Authority, Generation G001
    • Fingerprint SHA1: A0:C3:E0:2C:55:86:EA:41:3A:0F:5B:B0:4D:19:00:0E:0C:D4:8F:C5
    • Certificate as DER file and as plain PEM file

CA-CRLs

Here are the links to the Certificate Revocation Lists (CRLs) of the Trusted Introducer (TI) certification authority:

  • X.509 Root/Top Level Certification Authority, Generation G1
    • CRL as DER file for import in your browser.
  • X.509 Server Certification Authority, Generation G1.1
    • CRL as DER file for import in your browser.
  • X.509 Client Certification Authority, Generation G.1.1
    • CRL as DER file for import in your browser.

TERENA SSL CA

CA Certificates

Here is the link to the certificates of the TERENA SSL CA:

CA CRLs

Here is the link to the Certificate Revocation Lists (CRLs) of the TERENA SSL Certification Authority:

  • CRL as DER file for import in your browser.

OCSP

An OCSP responder is available also at:

TI GPG/PGP Master Signing Key

he TI Team uses several GPG/PGP keys, whenever authenticity is essential. The key used to sign all of them is called "Master Signing" key! You can download it from well known public PGP keyservers:

User ID:           Trusted Introducer (TI) ** MASTER SIGNING ** key
Key ID: 0x23E69569
Key type: DSA and Elgamal
Key size: 1024D/4064g
Fingerprint: 936E 9E25 DC6F 8E53 E392 07B4 D772 5B61 23E6 9569