[irc/freenode/web-7.0.git] / content / kb / using / certfp.md

---
Title: CertFP
Slug: certfp
---

As an alternative to password-based authentication, you can connect to freenode
with a TLS certificate and have services recognise it automatically.

Creating a self-signed certificate
==================================

In order to follow these instructions, you will need the `openssl` utility. If
you are using Windows and do not have a copy, you might consider using Cygwin.

You can generate a certificate with the following command:

    openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem

You will be prompted for various pieces of information about the certificate.
The contents do not matter for our purposes, but `openssl` needs at least one of
them to be non-empty.

The `.pem` file will have the same access to your NickServ account as your
password does, so take appropriate care in securing it.

Under Unix-like environments, the following command:

    openssl x509 -in freenode.pem -outform der | sha1sum -b | cut -d' ' -f1

will list the certificate fingerprint.


Connecting to freenode with your certificate
============================================

IRC clients generally differ in where they look for a certificate and how you
configure them to offer it to the server. If yours is not yet listed here,
advice in this section is unlikely to apply, but guides may be available
elsewhere on the web.

irssi
-----

Move the certificates you created above to ~/.irssi/certs

    mkdir ~/.irssi/certs
    mv freenode.pem ~/.irssi/certs

Now configure your `/server` entry for freenode to use this certificate. You
may need to adapt this example for your existing configuration (the network
and hostname should match what you already use).

    /server add -auto -ssl -ssl_cert ~/.irssi/certs/freenode.pem -network freenode chat.freenode.net 6697

weechat
-------

Move the certificates you created above to ~/.weechat/certs

    mkdir ~/.weechat/certs
    mv nick.pem ~/.weechat/certs

Now disconnect and remove the current freenode server(s). Re-add it with the
SSL flag, using your newly generated certificate. Note that these commands are
just examples, you have to adapt them to your current servers.

    /set irc.server.freenode.addresses chat.freenode.net/6697
    /set irc.server.freenode.ssl on
    /set irc.server.freenode.ssl_verify on
    /set irc.server.freenode.ssl_cert %h/certs/nick.pem
    /set irc.server.freenode.sasl_mechanism external

and then reconnect to freenode.

znc
---

Refer to znc's [official documentation](http://wiki.znc.in/Cert).

HexChat
-------

The pem file should be placed in `certs/network name.pem` in the HexChat config
directory (`~/.config/hexchat/` or `%appdata%\HexChat`), where `network name`
is the name of the network as it appears in the network list (Ctrl-S). Note
that the `certs` directory does not exist by default and you will have to
create it yourself. Once the file is there, all subsequent SSL connections to
that network will use the certificate.


Add your fingerprint to NickServ
================================

You can then check whether you have a fingerprint by using `whois` on yourself:

    /whois YourOwnNick
    ...
    YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a
    ...

To allow NickServ to recognise you based on your certificate, you need to add
the fingerprint to your account (you will need to log in by other means in order
to do so).

You can then authorise your current certificate fingerprint:

    /msg NickServ CERT ADD

In the future, any connections you make to freenode with your certificate will
be logged into your account automatically. Optionally, or if you wish to connect
via Tor, you can enable SASL with the `EXTERNAL` mechanism.
Commit	Line	Data
c3260969 EK	1	---
	2	Title: CertFP
	3	Slug: certfp
	4	---
	5
	6	As an alternative to password-based authentication, you can connect to freenode
	7	with a TLS certificate and have services recognise it automatically.
	8
	9	Creating a self-signed certificate
	10	==================================
	11
	12	In order to follow these instructions, you will need the `openssl` utility. If
	13	you are using Windows and do not have a copy, you might consider using Cygwin.
	14
	15	You can generate a certificate with the following command:
	16
52b1f108	17	openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem
c3260969 EK	18
	19	You will be prompted for various pieces of information about the certificate.
	20	The contents do not matter for our purposes, but `openssl` needs at least one of
	21	them to be non-empty.
	22
	23	The `.pem` file will have the same access to your NickServ account as your
	24	password does, so take appropriate care in securing it.
	25
	26	Under Unix-like environments, the following command:
	27
	28	openssl x509 -in freenode.pem -outform der \| sha1sum -b \| cut -d' ' -f1
	29
	30	will list the certificate fingerprint.
	31
	32
	33	Connecting to freenode with your certificate
	34	============================================
	35
	36	IRC clients generally differ in where they look for a certificate and how you
	37	configure them to offer it to the server. If yours is not yet listed here,
	38	advice in this section is unlikely to apply, but guides may be available
	39	elsewhere on the web.
	40
	41	irssi
	42	-----
	43
	44	Move the certificates you created above to ~/.irssi/certs
	45
	46	mkdir ~/.irssi/certs
	47	mv freenode.pem ~/.irssi/certs
	48
	49	Now configure your `/server` entry for freenode to use this certificate. You
	50	may need to adapt this example for your existing configuration (the network
	51	and hostname should match what you already use).
	52
	53	/server add -auto -ssl -ssl_cert ~/.irssi/certs/freenode.pem -network freenode chat.freenode.net 6697
	54
	55	weechat
	56	-------
	57
	58	Move the certificates you created above to ~/.weechat/certs
	59
	60	mkdir ~/.weechat/certs
	61	mv nick.pem ~/.weechat/certs
	62
	63	Now disconnect and remove the current freenode server(s). Re-add it with the
	64	SSL flag, using your newly generated certificate. Note that these commands are
	65	just examples, you have to adapt them to your current servers.
	66
	67	/set irc.server.freenode.addresses chat.freenode.net/6697
	68	/set irc.server.freenode.ssl on
	69	/set irc.server.freenode.ssl_verify on
	70	/set irc.server.freenode.ssl_cert %h/certs/nick.pem
	71	/set irc.server.freenode.sasl_mechanism external
	72
	73	and then reconnect to freenode.
	74
	75	znc
	76	---
	77
	78	Refer to znc's [official documentation](http://wiki.znc.in/Cert).
	79
47a5da6e	80	HexChat
	81	-------
	82
b58d62b7 EK	83	The pem file should be placed in `certs/network name.pem` in the HexChat config
	84	directory (`~/.config/hexchat/` or `%appdata%\HexChat`), where `network name`
	85	is the name of the network as it appears in the network list (Ctrl-S). Note
	86	that the `certs` directory does not exist by default and you will have to
	87	create it yourself. Once the file is there, all subsequent SSL connections to
	88	that network will use the certificate.
47a5da6e	89
c3260969 EK	90
	91	Add your fingerprint to NickServ
	92	================================
	93
	94	You can then check whether you have a fingerprint by using `whois` on yourself:
	95
	96	/whois YourOwnNick
	97	...
	98	YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a
	99	...
	100
	101	To allow NickServ to recognise you based on your certificate, you need to add
	102	the fingerprint to your account (you will need to log in by other means in order
	103	to do so).
	104
	105	You can then authorise your current certificate fingerprint:
	106
	107	/msg NickServ CERT ADD
	108
	109	In the future, any connections you make to freenode with your certificate will
	110	be logged into your account automatically. Optionally, or if you wish to connect
	111	via Tor, you can enable SASL with the `EXTERNAL` mechanism.