...
https://wayf.incommonfederation.org/bridge/certs/incommon.pem
You may check the integrity of the downloaded certificate in a variety of ways. For example, one could use openssl after the fact as follows:
$ openssl x509 -sha1 -in incommon.pem -noout -fingerprint
SHA1 Fingerprint=74:27:8F:96:7C:F1:BF:CA:AA:1B:41:AF:B6:33:64:48:A2:15:0E:B4
Participants should validate this certificate in whatever manner is deemed appropriate. Once this certificate file is locally installed, you can use it to verify the signature on the metadata file in conjunction with the refresh process.
...