Squick CA and Server Fingerprints

What's all this, then?

On April 24, 2016, Digi created a network certificate authority to handle Squick's SSL certificates, allowing for better standardization and end user verification of their connection's security.

Due to quirky client support for decentralized roots, though, and the security risks imposed by trusting Squick's root certificate on a visitor's whole OS, this system was phased out on March 11, 2017.

From here on out, Let's Encrypt certificates will be used for Squick's servers. This page now serves as a transition article you can refer to in order to verify any old certificates in use while this rollout occurs.

This page is kept online for historical purposes only. If you have previously added our root certificate to your computer's trust store, please remove it.

The certificate fingerprints shown on this page are no longer accurate (you can use tools like this one to track those changes -- if they're issued by Let's Encrypt, they're probably okay).

Server Certificates and Fingerprints

To verify whether a server is using the correct credentials before you connect your client to it, assuming your client does not display sha256 fingerprints, you can perform this trick if you're on Linux: openssl s_client -connect SOMESERVER.squick.me:6697 < /dev/null 2>/dev/null | openssl x509 -sha256 -fingerprint -dates -noout

This test will also work on other platforms, assuming OpenSSL is installed, and you know how to edit the command to suit your OS. (This command was lifted from Rizon's documentation. Thanks, Rizon!)

All certs you check in this way should have the following certificate chain, unless they have already been migrated to Let's Encrypt:

0 s:/O=Squick/OU=IRC/CN=SOMESERVER.squick.me
  i:/O=Squick/OU=Network Trust and Certification Authority/CN=Squick IRC CA
1 s:/O=Squick/OU=Network Trust and Certification Authority/CN=Squick IRC CA
  i:/O=Squick/OU=Network Trust and Certification Authority/CN=Squick Root CA
2 s:/O=Squick/OU=Network Trust and Certification Authority/CN=Squick Root CA
  i:/O=Squick/OU=Network Trust and Certification Authority/CN=Squick Root CA

Server Old certificate's fingerprint Old certificate's expiry (GMT) Migration status
cheshire.squick.me SHA256: F8:24:12:44:78:43:43:A7:31:C4:EE:64:5A:C3:E7:86:CB:0A:31:5D:0F:D0:0D:DC:75:44:BA:81:27:FB:71:A9
SHA  1: 8F:C8:04:D2:17:80:C5:5D:BB:DD:49:A6:F0:A1:7C:14:23:5F:B9:F1
Apr 25 01:07:20 2017 Complete - Using Let's Encrypt
fenrir.squick.me SHA256: 0B:2E:EB:8F:75:29:2A:EB:80:81:D7:1E:13:8D:BF:F5:66:6A:B3:A7:B8:30:07:E9:FA:7A:61:5E:3E:4F:FA:12
SHA  1: 7D:C1:69:B9:60:1E:24:CA:1D:2E:A3:09:14:33:A5:B9:41:AB:27:91
Apr 24 03:52:15 2017 Complete - Using Let's Encrypt
nyx.squick.me SHA256: 57:E1:14:37:90:80:E1:E0:D6:26:B8:7C:8A:AC:F9:6B:92:BB:25:91:7D:E8:23:E5:FB:A9:44:D4:32:A2:06:AD
SHA  1: D1:F9:70:8C:8B:5D:6A:A3:6D:5D:0C:35:FD:A1:E5:F7:0B:52:D7:A4
Apr 24 04:22:57 2017 Complete - Using Let's Encrypt
possat.squick.me SHA256: CB:38:78:8B:5A:69:4A:1B:ED:2C:98:59:93:ED:99:A6:D5:C8:EE:C0:64:53:99:B8:87:E5:F6:C6:03:55:C9:47
SHA  1: 37:86:AB:3F:F3:77:1A:BA:8C:15:09:A7:20:CA:C0:4C:1E:09:2E:5E
Apr 29 19:05:33 2017 Complete - Using Let's Encrypt
ullr.squick.me SHA256: 57:A7:AC:66:F4:71:73:21:AB:5D:85:99:D6:38:66:AC:9E:DA:C7:5B:B5:C8:57:5D:6C:B4:A6:39:EE:E8:2C:02
SHA  1: 67:C7:BB:42:52:17:59:89:94:1B:4C:13:0B:4E:FB:AA:4D:5F:61:56
Apr 29 19:01:34 2017 Complete - Using Let's Encrypt

CA/Root Certificate

The public certificate for our root CA is available here. Its fingerprint should be:

SHA256: 99:7D:5C:86:B6:4A:46:25:85:FD:30:78:14:15:F8:B2:97:B9:44:12:A0:D8:0D:D3:34:FA:77:F3:13:76:28:90
SHA  1: 5E:83:F7:E0:F4:F5:65:0D:00:C5:56:BD:FC:85:9F:50:B4:5C:DE:2A

Please do NOT add this certificate to your system's trusted certificate store. It is obsolete and will not be used for further purposes in the future.