Pidgin: Adding a Trusted Root CA Certificate

Wednesday October 02, 2013 by cl0secall

I've struggled with this for a few days. The cl0secall.net CA was not trusted by Pidgin, and I'd get certificate warnings wherever I connected from. There is no mention of this in the Pidgin FAQ, and various web searches turned up clues but no solutions. Through a combination of the Pidgin Debug Window and browsing the libpurple source code, I found the answer.

As an aside, it took quite some effort to locate the Pidgin source code. The Debug Window was one of the clues from my searching. The link to the Pidgin source repo was on the Download page. Because I was not interested in downloading anything -- merely browsing -- this was counter-intuitive to me.

The solution is to create a directory named "ca-certs" in the ".purple/certificates/x509" directory. This directory is located in "\$HOME" on unix platforms, and in "%APPDATA%" on windows. Inside that directory, place a file containing the PEM-encoded CA certificate. I used the name "cl0secall.net" for my cl0secall.net CA certificate. Upon restarting Pidgin my XMPP account connected with no warnings. In the debug window, I saw that the certificate was validated and cached successfully.