Trust & certificates
Internal sites use certificates issued by our own certificate authority (CA). Browsers and operating systems do not trust it out of the box, so they warn on internal sites and reject client-certificate sign-in until you import the CA once. Import the root below to trust every internal site signed by it. Verify the fingerprint out-of-band before you trust it.
Download
Import the root CA as a trusted authority. The full chain is for tools (curl, system trust stores) that want the intermediate too.
Certificate details
Confirm these SHA-256 fingerprints against a trusted channel (this documentation, an admin over Matrix) before importing.
Root CA
- Subject
- CN=CivicAgenda Identity Root CA
- Issuer
- CN=CivicAgenda Identity Root CA
- Valid until
- 2036-07-09
- SHA-256
36:33:15:CF:0B:F2:86:53:C3:17:7A:B5:9B:63:E8:A8:03:D9:7B:47:32:4B:6D:A5:BB:1E:D1:74:4B:60:04:F1
Revocation
A certificate can be revoked before it expires. This is the browser-reachable revocation list (CRL) endpoint - the address baked into issued certificates points inside the cluster and is not reachable from your device.
- Revocation URL
https://identity.bingerinnen.de/trust/crl.pem- Last updated
- 2026-07-12 14:56 UTC
- Next update by
- 2026-07-15 14:56 UTC
- Revoked certificates
- 0
How to import
Import the root CA. Only ever trust a CA you obtained over a channel you trust and whose fingerprint you verified above.
Firefox
Firefox keeps its own trust store. Settings → Privacy & Security
→ Certificates → View Certificates → Authorities tab
→ Import, choose the .pem, and tick
Trust this CA to identify websites.
Chrome / Edge / Chromium (via the OS store)
These browsers trust the operating system store - follow the macOS,
Windows, or Linux steps below. (On Linux, Chromium reads its own NSS store:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "Loop Coop Root CA" -i loop-coop-root-ca.pem.)
macOS
Open the .crt in Keychain Access (login or System keychain),
then set it to Always Trust under Get Info → Trust.
Or: sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain loop-coop-root-ca.crt
Windows
Double-click the .crt → Install Certificate
→ Local Machine → place in Trusted Root Certification
Authorities. Or, elevated:
certutil -addstore -f Root loop-coop-root-ca.crt
Linux (system trust store)
Debian/Ubuntu:
sudo cp loop-coop-root-ca.pem /usr/local/share/ca-certificates/loop-coop-root-ca.crt && sudo update-ca-certificates
Fedora/RHEL:
sudo cp loop-coop-root-ca.pem /etc/pki/ca-trust/source/anchors/ && sudo update-ca-trust
curl / command line
Point a single command at the chain without touching the system store:
curl --cacert loop-coop-ca-chain.pem https://….loop-coop.net