[irc/freenode/web-7.0.git] / content / kb / using / nickcerts.md

Title: NickServ and certificates
Slug: certfp
---

You can add a certificate fingerprint to your NickServ account in order to identify via CertFP or via SASL external. 
In order to do so, you need an IRC client which supports SSL with a client certificate. 

Creating a self-signed certificate
==================================

First you need generate a self-signed certificate. We will be using OpenSSL which should be available for most unix-like operating systems and also via ports to other platforms, such as Microsoft Windows.

To generate a certificate and key, the `openssl` command can be used with the 'req' option.

    openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -out freenode.pem -keyout freenode.pem

Fill out the fields as you wish, it does not matter whether you put in correct address information or not.

Note that the resulting file should be placed on secure storage, with correct permissions 
(e.g. `chmod 400` for on unix like systems) and not given to third parties. 
You can also protect your key with a password if your client can handle that.

If you want to already perform the steps on adding the information to your NickServ account, 
which are described at the end of this article, you need to get the fingerprint. The command

    openssl x509 -in .irssi/certs/freenode.pem -outform der | sha1sum | cut -d' ' -f1

will list the fingerprint so you can write it down or copy it.


Connecting to freenode with your certificate
============================================

How you have to add the certificate depends on your client. 
If the one you are using is not listed here yet, please consult your client's documentation.
Documentation for various clients is also available on the website of our friends at 
[OFTC<i class="fa fa-external-link" aria-hidden="true"></i>](https://www.oftc.net/NickServ/CertFP/),
most of it can be adopted to freenode by just changing the server address.
We are also open to pull requests to add new clients. 

irssi
-----

Move the certificates you created above to ~/.irssi/certs

    mkdir ~/.irssi/certs
    mv nick.pem ~/.irssi/certs

Now remove the current freenode server(s) and re-add it with the SSL flag,
using your newly generated certificate. Note that these commands are just examples, 
you have to adapt them to your current networks and servers.

    /server remove chat.freenode.net
    /network add freenode
    /server add -auto -ssl -ssl_cert ~/.irssi/certs/nick.pem -ssl_verify -network freenode chat.freenode.net 6697

Also if you plan to use Tor and add the hidden service instead, -ssl_verify has to be omitted as the certificate
won't match the hidden service.

weechat
-------

Move the certificates you created above to ~/.weechat/certs

    mkdir ~/.weechat/certs  
    mv nick.pem ~/.weechat/certs

Now disconnect and remove the current freenode server(s).
Re-add it with the SSL flag, using your newly generated certificate.
Note that these commands are just examples, 
you have to adapt them to your current servers.

    /disconnect freenode
    /server del freenode
    /server add freenode chat.freenode.net/6697 -ssl -ssl_verify -autoconnect
    /set irc.server.freenode.ssl_cert %h/certs/nick.pem

and then reconnect to freenode.

znc
---

znc provides an official documentation in 
[their wiki<i class="fa fa-external-link" aria-hidden="true"></i>](http://en.znc.in/wiki/Cert)


Add your fingerprint to NickServ
================================

If you added the certificate to your client you can now connect to freenode.
You can then check whether you have a fingerprint by using `whois` on yourself: 

    /whois YourOwnNick
    ...
    YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a
    ...

This means that your certificate is working.

To allow NickServ to identify you based on this certificate, you need to add the fingerprint to your account.
If you are not identified with NickServ, then do so now. See `/msg nickserv help identify` if needed. 

Afterwards you can add the fingerprint with the `CERT ADD` command. 
If you are connected using the certificate and the correct fingerprint shows in `whois`, you can just issue

    /msg NickServ CERT ADD
    
Otherwise you have to specify the fingerprint as parameter

    /msg NickServ CERT ADD f3a1aad46ca88e180c25c9c7021a4b3a

Nickserv will message back saying that the fingerprint was added. 
You can now use it to identify via CertFP or SASL EXTERNAL.
Please refer to your client documentation on how to do so.
Commit	Line	Data
6da654fb	1	Title: NickServ and certificates
a987a2da	2	Slug: certfp
6da654fb CFL	3	---
	4
	5	You can add a certificate fingerprint to your NickServ account in order to identify via CertFP or via SASL external.
	6	In order to do so, you need an IRC client which supports SSL with a client certificate.
	7
	8	Creating a self-signed certificate
	9	==================================
	10
	11	First you need generate a self-signed certificate. We will be using OpenSSL which should be available for most unix-like operating systems and also via ports to other platforms, such as Microsoft Windows.
	12
	13	To generate a certificate and key, the `openssl` command can be used with the 'req' option.
	14
a987a2da	15	openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -out freenode.pem -keyout freenode.pem
6da654fb CFL	16
	17	Fill out the fields as you wish, it does not matter whether you put in correct address information or not.
	18
a987a2da CFL	19	Note that the resulting file should be placed on secure storage, with correct permissions
a987a2da CFL	20	(e.g. `chmod 400` for on unix like systems) and not given to third parties.
6da654fb CFL	21	You can also protect your key with a password if your client can handle that.
6da654fb CFL	22
a987a2da CFL	23	If you want to already perform the steps on adding the information to your NickServ account,
	24	which are described at the end of this article, you need to get the fingerprint. The command
	25
	26	openssl x509 -in .irssi/certs/freenode.pem -outform der \| sha1sum \| cut -d' ' -f1
	27
	28	will list the fingerprint so you can write it down or copy it.
	29
6da654fb CFL	30
	31	Connecting to freenode with your certificate
	32	============================================
	33
	34	How you have to add the certificate depends on your client.
	35	If the one you are using is not listed here yet, please consult your client's documentation.
	36	Documentation for various clients is also available on the website of our friends at
	37	[OFTC<i class="fa fa-external-link" aria-hidden="true"></i>](https://www.oftc.net/NickServ/CertFP/),
	38	most of it can be adopted to freenode by just changing the server address.
	39	We are also open to pull requests to add new clients.
	40
	41	irssi
	42	-----
	43
	44	Move the certificates you created above to ~/.irssi/certs
	45
	46	mkdir ~/.irssi/certs
d68ff0ce	47	mv nick.pem ~/.irssi/certs
6da654fb CFL	48
	49	Now remove the current freenode server(s) and re-add it with the SSL flag,
	50	using your newly generated certificate. Note that these commands are just examples,
	51	you have to adapt them to your current networks and servers.
	52
	53	/server remove chat.freenode.net
	54	/network add freenode
	55	/server add -auto -ssl -ssl_cert ~/.irssi/certs/nick.pem -ssl_verify -network freenode chat.freenode.net 6697
	56
	57	Also if you plan to use Tor and add the hidden service instead, -ssl_verify has to be omitted as the certificate
	58	won't match the hidden service.
	59
	60	weechat
	61	-------
	62
	63	Move the certificates you created above to ~/.weechat/certs
	64
	65	mkdir ~/.weechat/certs
d68ff0ce	66	mv nick.pem ~/.weechat/certs
6da654fb CFL	67
	68	Now disconnect and remove the current freenode server(s).
	69	Re-add it with the SSL flag, using your newly generated certificate.
a987a2da CFL	70	Note that these commands are just examples,
a987a2da CFL	71	you have to adapt them to your current servers.
6da654fb CFL	72
	73	/disconnect freenode
	74	/server del freenode
	75	/server add freenode chat.freenode.net/6697 -ssl -ssl_verify -autoconnect
	76	/set irc.server.freenode.ssl_cert %h/certs/nick.pem
	77
	78	and then reconnect to freenode.
	79
	80	znc
	81	---
	82
	83	znc provides an official documentation in
	84	[their wiki<i class="fa fa-external-link" aria-hidden="true"></i>](http://en.znc.in/wiki/Cert)
	85
	86
	87	Add your fingerprint to NickServ
	88	================================
	89
	90	If you added the certificate to your client you can now connect to freenode.
	91	You can then check whether you have a fingerprint by using `whois` on yourself:
	92
	93	/whois YourOwnNick
	94	...
	95	YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a
	96	...
	97
	98	This means that your certificate is working.
	99
	100	To allow NickServ to identify you based on this certificate, you need to add the fingerprint to your account.
	101	If you are not identified with NickServ, then do so now. See `/msg nickserv help identify` if needed.
	102
a987a2da CFL	103	Afterwards you can add the fingerprint with the `CERT ADD` command.
	104	If you are connected using the certificate and the correct fingerprint shows in `whois`, you can just issue
	105
	106	/msg NickServ CERT ADD
	107
	108	Otherwise you have to specify the fingerprint as parameter
6da654fb CFL	109
	110	/msg NickServ CERT ADD f3a1aad46ca88e180c25c9c7021a4b3a
	111
	112	Nickserv will message back saying that the fingerprint was added.
	113	You can now use it to identify via CertFP or SASL EXTERNAL.
	114	Please refer to your client documentation on how to do so.