Comment 5 for bug 1895714

Again, I think there are good reasons for pinning the certificate (I agree with myself of ~14 months ago). Even better would be to use a certificate generated by a private CA, so there's no third party that can generate a malicious certificate that is trusted by the client. We don't need a third party as Ubuntu "owns" both the sides of the channel to secure (entropy.ubuntu.com:443 and the pollinate package).

As of today the entropy.ubuntu.com is still issues by DigiCert:

Certificate chain
 0 s:C = GB, L = London, O = Canonical Group Ltd, CN = entropy.ubuntu.com
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
 1 s:C = GB, L = London, O = Canonical Group Ltd, CN = entropy.ubuntu.com
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
 2 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

and I didn't hear anymore of plans to switch to Letsencrypt, so I'd say that there's nothing to fix here at the moment, but as I may be missing some aspects of this I'm setting the bug status to Incomplete. I'm still willing to work at it, provided that we agree there's something to do!