Gna! and HTTPS

Certificate

If you have not imported CAcert's root certificate, see the instructions.

Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

Why using CAcert.org?

"CAcert.org is a community driven, Certificate Authority that issues certificates to the public at large for free." [1]
Authority audited independently without relying on the $75,000+ plus $10,000 a year fee from WebTrust
Money should not be the only way to assess trust - web of trust is a legitimate alternative
The project conveys accurate information on security
Say no to over-certification: the next step is requiring all programs to be signed by partners of the operating system vendor, as done in ms woe vista and xp sp3 (search the Internet for "code signing" for more information). And then what prevents requesting certificates for each SSH server?
Mission statement from CAcert.org

You can find the CAcert root certificate from the following locations:

From CAcert: direct link
From your system: [1] or [2]

Check by yourself!

Check the certificates fingerprints

Get GnuTLS and its certtool utility [doc].
(Debian package: gnutls-bin, Fedora package: gnutls-utils):

$ certtool --certificate-info --infile gna.org.pem
[...]
Other information:
        MD5 Fingerprint: XX:XX:XX:...
[...]
# shorter version: certtool -i < gna.org.pem

Simulate a connection

We'll use gnutls-cli [doc]:

$ gnutls-cli --x509cafile /usr/share/ca-certificates/cacert.org/cacert.org.crt gna.org
Processed 2 CA certificate(s).
Resolving 'gna.org'...
Connecting to '78.40.125.81:443'...
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `CN=gna.org', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org', RSA key 1024 bits, signed using RSA-SHA, activated `2009-11-01 20:54:13 UTC', expires `2010-04-30 20:54:13 UTC', SHA-1 fingerprint `2cd6e0b88181de01202afb761d83200a7e242799' <-- verify the fingerprint
- The hostname in the certificate matches 'gna.org'.
- Peer's certificate is trusted <-- check this line
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:
[...]

Extract the key from the live server

$ gnutls-cli --print-cert gna.org </dev/null >sv.pem

You then can display the certificate as usual:

$ certtool -i < sv.pem

Verify the certificate chain

$ cat sv.pem /usr/share/ca-certificates/cacert.org/cacert.org.crt | certtool -e
Certificate[0]: CN=gna.org
Issued by: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
Verifying against certificate[1].
Verification output: Verified.

Certificate[1]: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
Issued by: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
Verifying against certificate[2].
Error: Issuer's name: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
certtool: Issuer's name does not match the next certificate

The first paragraph indicates that the key does validate against CAcert's root certificate. The second one show a slight inconsistency in the CAcert canonical name.