Update fingerprint

[lgrahl]

Dear Threema Gateway User

For more “Swissness”, and to increase the level of trust (Organization Validation), we are switching our server certificates to SwissSign. On 01.12.2016 at 10:00 CET, the certificate for the web host https://msgapi.threema.ch (which you use for communicating with Threema Gateway) will be changed.

If the HTTPS client that you employ for communication with Threema Gateway uses one of the common CA lists (e.g. Mozilla CA store/NSS) or does not verify server certificates, then you don't need to do anything. The root certificate of SwissSign is already contained in common CA lists. If you have included our old certificate (GeoTrust RapidSSL) manually, you need to make the root certificate of SwissSign Gold G2 available to your HTTPS client.

The root certificate of SwissSign Gold G2 can be found here: https://swisssign.net/cgi-bin/authority/download?ca=Gold%20G2 (other formats see: https://swisssign.net/cgi-bin/trust/import).

If you have any questions concerning this certificate change, contact us at support-gateway-service@threema.ch.

Best regards,
Threema Gateway

[rugk]

So you got the issue of "certificate pinning" here. (#17)
Only pinning the hash (of the leaf cert as Threema does it) prevents any change needed in a CA switch.

[lgrahl]

Well, I'm aware of that but I just cannot clone myself. 😉

[rugk]

Yeah, I am just saying…