Squick CA and Server Fingerprints

What's all this, then?

Since April 24, 2016, Squick's IRC servers no longer self-sign their SSL/TLS certificates. Instead, a central certificate authority managed by Digi handles the issuance of these certificates, allowing for better standardization and end user verification of their connection's security. On this page, you can take a look at the certificate authority's own root certs (even auto-trust them if you wish) or peer at the known fingerprints for each issued certificate.

If you get a different fingerprint while connecting than is present on this page, something may be compromised, and you should email Digi right away.

Server Certificates and Fingerprints

To verify whether a server is using the correct credentials before you connect your client to it, assuming your client does not display sha256 fingerprints, you can perform this trick if you're on Linux: openssl s_client -connect SOMESERVER.squick.me:6697 < /dev/null 2>/dev/null | openssl x509 -sha256 -fingerprint -dates -noout

This test will also work on other platforms, assuming OpenSSL is installed, and you know how to edit the command to suit your OS. (This command was lifted from Rizon's documentation. Thanks, Rizon!)

All certs you check in this way should have the following certificate chain:

0 s:/O=Squick/OU=IRC/CN=SOMESERVER.squick.me
  i:/O=Squick/OU=Network Trust and Certification Authority/CN=Squick IRC CA
1 s:/O=Squick/OU=Network Trust and Certification Authority/CN=Squick IRC CA
  i:/O=Squick/OU=Network Trust and Certification Authority/CN=Squick Root CA
2 s:/O=Squick/OU=Network Trust and Certification Authority/CN=Squick Root CA
  i:/O=Squick/OU=Network Trust and Certification Authority/CN=Squick Root CA

Server Fingerprint Expiry (GMT)
cheshire.squick.me SHA256: F8:24:12:44:78:43:43:A7:31:C4:EE:64:5A:C3:E7:86:CB:0A:31:5D:0F:D0:0D:DC:75:44:BA:81:27:FB:71:A9
SHA  1: 8F:C8:04:D2:17:80:C5:5D:BB:DD:49:A6:F0:A1:7C:14:23:5F:B9:F1
Apr 25 01:07:20 2017
fenrir.squick.me SHA256: 0B:2E:EB:8F:75:29:2A:EB:80:81:D7:1E:13:8D:BF:F5:66:6A:B3:A7:B8:30:07:E9:FA:7A:61:5E:3E:4F:FA:12
SHA  1: 7D:C1:69:B9:60:1E:24:CA:1D:2E:A3:09:14:33:A5:B9:41:AB:27:91
Apr 24 03:52:15 2017
nymph.squick.me SHA256: 47:98:93:FD:2D:EB:81:86:E1:1B:B8:3B:3B:A3:8B:CB:33:0C:EF:EC:8D:3A:1D:EC:93:BD:45:3D:CD:F1:A5:95
SHA  1: 45:3A:F3:17:61:80:2C:6D:F8:80:09:64:F9:10:CE:DC:A6:94:27:FB
Apr 25 03:45:28 2017
nyx.squick.me SHA256: 57:E1:14:37:90:80:E1:E0:D6:26:B8:7C:8A:AC:F9:6B:92:BB:25:91:7D:E8:23:E5:FB:A9:44:D4:32:A2:06:AD
SHA  1: D1:F9:70:8C:8B:5D:6A:A3:6D:5D:0C:35:FD:A1:E5:F7:0B:52:D7:A4
Apr 24 04:22:57 2017
possat.squick.me SHA256: CB:38:78:8B:5A:69:4A:1B:ED:2C:98:59:93:ED:99:A6:D5:C8:EE:C0:64:53:99:B8:87:E5:F6:C6:03:55:C9:47
SHA  1: 37:86:AB:3F:F3:77:1A:BA:8C:15:09:A7:20:CA:C0:4C:1E:09:2E:5E
Apr 29 19:05:33 2017
ullr.squick.me SHA256: 57:A7:AC:66:F4:71:73:21:AB:5D:85:99:D6:38:66:AC:9E:DA:C7:5B:B5:C8:57:5D:6C:B4:A6:39:EE:E8:2C:02
SHA  1: 67:C7:BB:42:52:17:59:89:94:1B:4C:13:0B:4E:FB:AA:4D:5F:61:56
Apr 29 19:01:34 2017

CA/Root Certificate

The public certificate for our root CA is available here. Its fingerprint should be:

SHA256: 99:7D:5C:86:B6:4A:46:25:85:FD:30:78:14:15:F8:B2:97:B9:44:12:A0:D8:0D:D3:34:FA:77:F3:13:76:28:90
SHA  1: 5E:83:F7:E0:F4:F5:65:0D:00:C5:56:BD:FC:85:9F:50:B4:5C:DE:2A

You can choose to trust our root certificate if you'd like your IRC client to stop badgering you about invalid certs when you connect to the network.

Before you do this, please bear in mind exactly what it is you're doing: you're trusting any certificate we create to be legitimate, even if it's for a domain we don't control. If we're ever compromised, this could result in you being the victim of a man-in-the-middle attack on just about any website out there. We will notify all users through all available methods the instant we detect a breach or any mis-issued certificates, but if you don't trust us explicitly, you shouldn't trust our root certificate. It means exactly what it sounds like it means!

If you still want to take the plunge, here's how you'd tell your system to trust us.

Windows:

  1. Save the root certificate locally. You may need to right-click that link and select "save (file/link) as".
  2. Open where you saved the file. Double-click the file to examine the certificate.
  3. Click the "details" tab and look at the "thumbprint" fields. Make sure the thumbprints given match the fingerprints listed above. Abort immediately and email Digi if they don't.
  4. Switch back to the "general" tab. Click "install certificate..." to open the Certificate Import Wizard.
  5. Click "next". You will be prompted about where you want the certificate to be stored.
  6. Click "place all certificates in the following store", then "browse..."
  7. Select "trusted root certification authorities", then click "OK".
  8. Click "next", review the result, then click "finish".
  9. Windows will give you a very sensible warning about trusting our root certificate. Read it carefully, then do a final check of the fingerprint if you're sure you want to continue. (Don't worry about the different spacing and lack of colons; the numbers and letters matter, not those.)
  10. You're all done. Click all visible "OK" buttons to clean your screen up, then go about your business. You can delete the file you downloaded now, if you want to.

Linux and other platforms:

Can vary by distro, unfortunately. Search engines will help. Here's the askubuntu take on it. Be aware that our certificate is in DER/cer format, so if a PEM/crt is required for your system, you'll need to convert it with OpenSSL.