Verifying certificate fingerprint

When opening pidgin on Ubuntu Linux I received the following warning dialogue with the message “Accept certificate for”. Clicking on “View Certificate” showed the second dialogue.

So how do you verify this?

To start with get the actual certificate from gmail and put it in a file

> openssl s_client -connect >

The file contents should look something like this:

 depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
 verify error:num=20:unable to get local issuer certificate
 verify return:0
 Certificate chain
  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/
    i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 Server certificate
 subject=/C=US/ST=California/L=Mountain View/O=Google Inc/
 issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 No client certificate CA names sent
 SSL handshake has read 2005 bytes and written 285 bytes
 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
 Server public key is 1024 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
     Protocol  : SSLv3
     Cipher    : ECDHE-RSA-RC4-SHA
     Session-ID: 45F9A9FA76661A382878C54AD89EB033C1D8CABB1840F6C154B32F406EC05D75
     Master-Key: 11FA086DFD76443E656F2C487A52B4BCF83A3F7B65C390A15FC2D876EE64E1EBF9FD1B9E8A22E5980D77CD86A11B2BE8
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1331313945
     Timeout   : 7200 (sec)
     Verify return code: 20 (unable to get local issuer certificate)

Then calculate the fingerprint.

> openssl x509 -noout -fingerprint -in
SHA1 Fingerprint=59:29:78:A7:2A:90:61:F7:0A:D7:C4:4C:4D:44:9D:CF:25:8C:D5:34

The above fingerprint is different than the one Pidgin was warning me about. In this case I rejected the certificate, told pidgin to re-connect and on the second attempt got a valid certificate.

Keys on Pidgin encryption and OTR

As a security and privacy conscious end user I have started encrypting my IM chats with Pidgin Encryption and Off-The-Record Messaging. Both plugins for Pidgin automatically create public/private key pairs which are used to encrypt my IM chats. Unfortunately, I also use many different computers to chat with my friends and by default each computer creates its own public/private key pair. I want my chats to always look like they are coming from me despite the computer I am on so I looked up how to copy the private keys between computers.

In Ubuntu Linux all the relevant files were all listed under the .gaim folder in my home directory. In Windows XP they were listed under the .purple in my Application Data folder.  All you have to do is move the files listed below from the appropriate directory on the original computer to the same directory on whatever other computers you want to use the same public/private key.

On my computer the keys were located in:

Windows: C:\Documents and Settings\UserName\Application Data\.purple

Ubuntu Linux: ~/.gaim

(In some versions of Ubuntu ~/.purple)


  • otr.private_key
  • otr.fingerprints

Pidgin Encryption

  • id
  • id.priv
  • known_keys

The known_keys and otr.fingerprints files list the public keys of other people who you chat with. You don’t have to move these files if you don’t want to. The otr.private_key, id and id.priv files contain your private key and must be moved.