To avoid, that members are greeted by a warning of the used web browser, that the CA certificate is not trusted - contradicting the name of the service - all server certificates are issued by the GEANT SSL CA. Below we provide the information of the CA certificates, fingerprint information and references to revocation lists and OCSP responder.

The Trusted Introducer service operates a private certification authority to supply members of TI accredited and certified teams with X.509 user certificates. These are instrumental to restrict the access for members-only systems like mailing lists or this web server. The user private keys and certificates are created and send to the team representatives for secure distribution including the initial pass phrase protecting the private key GPG/PGP encrypted.

In November 2013 a new, streamlined certification authority was set up with a single new root certificate protected by a FIPS 140-3 HSM hardware module. The new CA will completely replace the old CA at the end of March 2014. Until than both CA's are active and all services are available for users with client certificates of either one.

As GPG/PGP is used for some protection mechanisms - signing CSV files or sending requests to the RIPE NCC for the IRT objects - information about the TI Master Signing key is included here as well to be complete, also it is technically a different solution independent from the standardized X.509 mechanisms used in traditionally PKI settings.

Private TI PKI


Here is the link to the certificate of the new, streamlined Trusted Introducer (TI) certification authority, which has fully replaced the older PKI root setup:

  • X.509 Trusted Introducer (TI) Client CA - G001
    • Fingerprint SHA1: A0:C3:E0:2C:55:86:EA:41:3A:0F:5B:B0:4D:19:00:0E:0C:D4:8F:C5
    • Certificate as DER file and as plain PEM file

As all server certificates are provided by the TERENA SSL CA, no CRL information is necessary.


Keep in mind, that the transition of TERENA and DANTE into the new GEANT is still under way and will take some time to change all technical references to

CA Certificates

Here is the link to the certificates of the SSL CA:


Here is the link to the Certificate Revocation Lists (CRLs) of the SSL Certification Authority:

  • CRL as DER file for import in your browser.


An OCSP responder is available also at:

TI GPG/PGP Master Signing Key

he TI Team uses several GPG/PGP keys, whenever authenticity is essential. The key used to sign all of them is called "Master Signing" key! You can download it from well known public PGP keyservers:

User ID:           Trusted Introducer (TI) ** MASTER SIGNING ** key
Key ID: 0x5FB13822
Key type: RSA
Key size: 4064R
Fingerprint: 681B 2BED 38C2 1D78 9B47  113B 77DC 5D91 5FB1 3822

The above PGP key replaces the old one:

User ID: Trusted Introducer (TI) ** MASTER SIGNING ** key
Key ID: 0x23E69569
Key type: DSA and Elgamal
Key size: 1024D/4064g
Fingerprint: 936E 9E25 DC6F 8E53 E392 07B4 D772 5B61 23E6 9569