BingerInnen Identity

Trust & certificates

Internal sites use certificates issued by our own certificate authority (CA). Browsers and operating systems do not trust it out of the box, so they warn on internal sites and reject client-certificate sign-in until you import the CA once. Import the root below to trust every internal site signed by it. Verify the fingerprint out-of-band before you trust it.

Download

Import the root CA as a trusted authority. The full chain is for tools (curl, system trust stores) that want the intermediate too.

Certificate details

Confirm these SHA-256 fingerprints against a trusted channel (this documentation, an admin over Matrix) before importing.

Root CA

Subject
CN=CivicAgenda Identity Root CA
Issuer
CN=CivicAgenda Identity Root CA
Valid until
2036-07-09
SHA-256
36:33:15:CF:0B:F2:86:53:C3:17:7A:B5:9B:63:E8:A8:03:D9:7B:47:32:4B:6D:A5:BB:1E:D1:74:4B:60:04:F1

Revocation

A certificate can be revoked before it expires. This is the browser-reachable revocation list (CRL) endpoint - the address baked into issued certificates points inside the cluster and is not reachable from your device.

Revocation URL
https://identity.bingerinnen.de/trust/crl.pem
Last updated
2026-07-12 14:56 UTC
Next update by
2026-07-15 14:56 UTC
Revoked certificates
0

How to import

Import the root CA. Only ever trust a CA you obtained over a channel you trust and whose fingerprint you verified above.

Firefox

Firefox keeps its own trust store. Settings → Privacy & Security → Certificates → View Certificates → Authorities tab → Import, choose the .pem, and tick Trust this CA to identify websites.

Chrome / Edge / Chromium (via the OS store)

These browsers trust the operating system store - follow the macOS, Windows, or Linux steps below. (On Linux, Chromium reads its own NSS store: certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "Loop Coop Root CA" -i loop-coop-root-ca.pem.)

macOS

Open the .crt in Keychain Access (login or System keychain), then set it to Always Trust under Get Info → Trust. Or: sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain loop-coop-root-ca.crt

Windows

Double-click the .crtInstall CertificateLocal Machine → place in Trusted Root Certification Authorities. Or, elevated: certutil -addstore -f Root loop-coop-root-ca.crt

Linux (system trust store)

Debian/Ubuntu: sudo cp loop-coop-root-ca.pem /usr/local/share/ca-certificates/loop-coop-root-ca.crt && sudo update-ca-certificates
Fedora/RHEL: sudo cp loop-coop-root-ca.pem /etc/pki/ca-trust/source/anchors/ && sudo update-ca-trust

curl / command line

Point a single command at the chain without touching the system store: curl --cacert loop-coop-ca-chain.pem https://….loop-coop.net