The SSL/TLS Certificate Authority

(skip straight to the certificate)


The CA no longer issues certificates, owing to the overhead and free alternatives such as CACert being more widely established these days. The rest of this page is here only for historical interest.

This page exists to describe what the CA is, why it exists, and how to make use of it. The rest of this introduction can be skipped if you are familiar with the concepts of PKI.

So, why would you want to use this?

In order to make use of encrypted (that is resistant to spying and modification) and authenticatable (that is, that you can have some confidence in who you are really talking to) connection between machines on the internet (for example, your computer and a web server) a mechanism for exhanging information about trust is needed. This can be accomplished in several ways, but by far the most common way on the Internet is SSL (more recently named TLS). The rest of this introduction is a simple description of SSL and how it is implemented as far as the user is concerned. It is not a thorough discussion of the technology.

To make a successful and useful SSL connection to a web site, you need to be able to verify that the information coming from the server really originates from that server, and has not been modified en route. To do this, you need to be able to cryptographically verify the server certificate using a CA certificate you already have and trust. Usually, the server operator pays a fee to a "well known" certificate authority in order to have his server certificate signed; for servers this generally involves checking that the person to whom they issue the certificate is authorised to be using the server in question. Well known in this instance means that your browser will have shipped with the CA certificate. Some major players are Verisign, Thawte and GlobalSign. You can generally find out what CAs your browser has installed by looking through the preferences file; Galeon has them at Settings -> Preferences -> Advanced -> Security -> Manage certificates -> Authorities.

There are flaws with the concept of the well-known providers which you may have already spotted. The most obvious is the requirement to pay a (usually fairly hefty, and renewable) sum to a CA for a certificate, which may not be possible for non-profit/personal sites, but the other is potentially far more important; the CA certificates that came with your browser have not been authenticated as belonging to the authorities in question; they were downloaded from, typically the vendor's web site, or pre-installed on your computer, or installed from a CD-ROM, providing many avenues for the certificates to be subverted. Also, we cannot be sure of the exact procedure to be followed within each of those organisations, so it is difficult to make a judgement as to whether we trust them to make a good decision when they sign the site's certificate.

All of this means it is desirable to have "alternative" CAs, and the CA is one such. It cannot solve all these problems once and for all, but does solve some of them for some people. Whether it is valuable to you depends on whether you are able to meet one of the CA admins in person to exchange a fingerprint, are willing to accept the CA without fingerprint verification, or have a PGP trust path to our PGP keys already. The rest of this page explains how to use the CA.

Installing the CA certificate

So, with all that rambling aside, how do we make use of this?

You'll want to grab one or more of (but read on before you click!):

To start the installation process into your browser all you have to do at a basic level is click on that first link, and follow the prompts in your browser. However, if you want this to do this properly, verify the fingerprint. Find where in your browser it tells you the fingerprint before accepting the key, then verify the fingerprint by either using the PGP-signed fingerprints above or some other out of band method. Indeed, to properly verify the PGP-signed stuff you already need a trust path to Jonathan (but then, since you attend key-signing events obsessively, this isn't a problem, right? :)

Once the CA has been installed into your browser, try visiting to make sure that it has been installed correctly. You should not be prompted with any security warning messages (aside from standard ones that tell you you are entering a secure site, if enabled).

Our signing policy

In the first instance, we will not sign a certificate without having personal knowledge of the person requesting it. Once we've worked out the details this may be extended.

Certificates we've signed

The CA is no longer issuing certificates and all issued certificates have now expired. This page is here only for historical interest.


Q: Who are you? Why should I trust you?
A: We're a bunch of geeks. There's no particular reason that you should trust us without knowing us. It's your call. Presumably, though, the person who runs the service that we signed a certificate for trusts us, though.

Q: Why bother? Your root cert isn't in any browsers anyway.
A: Yes, but we see most usage as being in situations when the cost of a "proper" SSL certificate can't be justified. Rather than end up with everybody doing their own self-signing we thought it might be better to have a single root certificate that we could all be signed with.

Q: Will you sign my cert?
A: We'll certainly consider it. We'll only sign certs we can verify the authority of, and at present that means people we know. If you think you fall into this category you should send a PGP-signed CSR to ca _at_ Of course you should ensure we have a short trust path to the key you use to sign the CSR.

Still to come

This document still needs information on:

More resources

This is only a very brief look into the world of PKI/SSL/TLS etc. There is lots of stuff out there on the web; here are some links:

This page is written by Dominic Hargreaves. Feedback and questions should be directed to "ca" at the domain this web page resides in (

© 2003-2009 Dominic Hargreaves and the CA. Portions of this document may be reproduced by agreement.