content/kb/using/certfp.md

   1 ---
   2 Title: CertFP
   3 Slug: certfp
   4 ---
   5
   6 As an alternative to password-based authentication, you can connect to freenode
   7 with a TLS certificate and have services recognise it automatically.
   8
   9 Creating a self-signed certificate
  10 ==================================
  11
  12 In order to follow these instructions, you will need the `openssl` utility. If
  13 you are using Windows and do not have a copy, you might consider using Cygwin.
  14
  15 You can generate a certificate with the following command:
  16
  17     openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem
  18
  19 You will be prompted for various pieces of information about the certificate.
  20 The contents do not matter for our purposes, but `openssl` needs at least one of
  21 them to be non-empty.
  22
  23 The `.pem` file will have the same access to your NickServ account as your
  24 password does, so take appropriate care in securing it.
  25
  26 Under Unix-like environments, the following command:
  27
  28     openssl x509 -in freenode.pem -outform der | sha1sum -b | cut -d' ' -f1
  29
  30 will list the certificate fingerprint.
  31
  32
  33 Connecting to freenode with your certificate
  34 ============================================
  35
  36 IRC clients generally differ in where they look for a certificate and how you
  37 configure them to offer it to the server. If yours is not yet listed here,
  38 advice in this section is unlikely to apply, but guides may be available
  39 elsewhere on the web.
  40
  41 irssi
  42 -----
  43
  44 Move the certificates you created above to ~/.irssi/certs
  45
  46     mkdir ~/.irssi/certs
  47     mv freenode.pem ~/.irssi/certs
  48
  49 Now configure your `/server` entry for freenode to use this certificate. You
  50 may need to adapt this example for your existing configuration (the network
  51 and hostname should match what you already use).
  52
  53     /server add -auto -ssl -ssl_cert ~/.irssi/certs/freenode.pem -network freenode chat.freenode.net 6697
  54
  55 weechat
  56 -------
  57
  58 Move the certificates you created above to ~/.weechat/certs
  59
  60     mkdir ~/.weechat/certs
  61     mv nick.pem ~/.weechat/certs
  62
  63 Now disconnect and remove the current freenode server(s). Re-add it with the
  64 SSL flag, using your newly generated certificate. Note that these commands are
  65 just examples, you have to adapt them to your current servers.
  66
  67     /set irc.server.freenode.addresses chat.freenode.net/6697
  68     /set irc.server.freenode.ssl on
  69     /set irc.server.freenode.ssl_verify on
  70     /set irc.server.freenode.ssl_cert %h/certs/nick.pem
  71     /set irc.server.freenode.sasl_mechanism external
  72
  73 and then reconnect to freenode.
  74
  75 znc
  76 ---
  77
  78 Refer to znc's [official documentation](http://wiki.znc.in/Cert).
  79
  80
  81 Add your fingerprint to NickServ
  82 ================================
  83
  84 You can then check whether you have a fingerprint by using `whois` on yourself:
  85
  86     /whois YourOwnNick
  87     ...
  88     YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a
  89     ...
  90
  91 To allow NickServ to recognise you based on your certificate, you need to add
  92 the fingerprint to your account (you will need to log in by other means in order
  93 to do so).
  94
  95 You can then authorise your current certificate fingerprint:
  96
  97     /msg NickServ CERT ADD
  98
  99 In the future, any connections you make to freenode with your certificate will
 100 be logged into your account automatically. Optionally, or if you wish to connect
 101 via Tor, you can enable SASL with the `EXTERNAL` mechanism.