In order to allow users to authenticate the server it needs to be configured with a certificate.
It is helpful to also provide the pinset for the certificate (The SHA-256 fingerprint of the public key) as an alternative validation mechanism. If you decide to do this then it is recommended to use the same key when renewing the certificate to avoid having to manage key rollovers.
Many of the existing servers use the great service at Let's Encrypt to obtain certificates. It has become clear that it is not obvious how to renew a certificate with the same key so we have a short guide on Let's Encrypt Key renewal.
We are working on a 'probe' mode for getdns and also a Nagios plugin... watch this space.