When you try to connect to a web server which has a certificate signed by an unknown root ca, you can compare the TLS/SSL fingerprint of the server with the one of the certificate. For example, if you use your Android phone to securely connect to your own server the phone might not have the root ca of your TLS certificate and thus presents you the fingerprint for you to verify.
Thus, beforehand you have to calculate the TLS fingerprint of the server certificate. This can be done with a single command:
# openssl x509 -noout -fingerprint -in /etc/pki/tls/certs/www.myserver.de.public-cert.ssl.crt SHA1 Fingerprint=84:C2:9D:59:47:23:A6:38:22:C0:0B:39:6D:A8:BB:D8:0B:7B:EA:09
Its much better to use the monkeysphere to verify SSH/X.509 certificates.
http://web.monkeysphere.info/
foo, this tip aims mainly at people who are connecting to their own server – the monkeysphere project would be the second step, but the first step you need to know if you are talking to your own server at all.