1 Title: NickServ and certificates
5 You can add a certificate fingerprint to your NickServ account in order to identify via CertFP or via SASL external.
6 In order to do so, you need an IRC client which supports SSL with a client certificate.
8 Creating a self-signed certificate
9 ==================================
11 First you need generate a self-signed certificate. We will be using OpenSSL which should be available for most unix-like operating systems and also via ports to other platforms, such as Microsoft Windows.
13 To generate a certificate and key, the
`openssl` command can be used with the 'req' option.
15 openssl req -nodes -newkey rsa:
2048 -keyout nick.key -x509 -days
365 -out nick.crt
17 Fill out the fields as you wish, it does not matter whether you put in correct address information or not.
19 cat nick.crt nick.key > nick.pem
21 Note that these files should be placed on secure storage, with correct permissions
22 (e.g.
`chmod 400` for the .key and .pem file on unix like systems) and not given to third parties.
23 You can also protect your key with a password if your client can handle that.
26 Connecting to freenode with your certificate
27 ============================================
29 How you have to add the certificate depends on your client.
30 If the one you are using is not listed here yet, please consult your client's documentation.
31 Documentation for various clients is also available on the website of our friends at
32 [OFTC<i class="fa fa-external-link" aria-hidden="true"></i>](https://www.oftc.net/NickServ/CertFP/),
33 most of it can be adopted to freenode by just changing the server address.
34 We are also open to pull requests to add new clients.
39 Move the certificates you created above to ~/.irssi/certs
42 mv nick.{key,crt,pem} ~/.irssi/certs
44 Now remove the current freenode server(s) and re-add it with the SSL flag,
45 using your newly generated certificate. Note that these commands are just examples,
46 you have to adapt them to your current networks and servers.
48 /server remove chat.freenode.net
50 /server add -auto -ssl -ssl_cert ~/.irssi/certs/nick.pem -ssl_verify -network freenode chat.freenode.net
6697
52 Also if you plan to use Tor and add the hidden service instead, -ssl_verify has to be omitted as the certificate
53 won't match the hidden service.
58 Move the certificates you created above to ~/.weechat/certs
60 mkdir ~/.weechat/certs
61 mv nick.{key,crt,pem} ~/.weechat/certs
63 Now disconnect and remove the current freenode server(s).
64 Re-add it with the SSL flag, using your newly generated certificate.
68 /server add freenode chat.freenode.net/
6697 -ssl -ssl_verify -autoconnect
69 /set irc.server.freenode.ssl_cert %h/certs/nick.pem
71 and then reconnect to freenode.
76 znc provides an official documentation in
77 [their wiki<i class="fa fa-external-link" aria-hidden="true"></i>](http://en.znc.in/wiki/Cert)
80 Add your fingerprint to NickServ
81 ================================
83 If you added the certificate to your client you can now connect to freenode.
84 You can then check whether you have a fingerprint by using
`whois` on yourself:
88 YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a
91 This means that your certificate is working.
93 To allow NickServ to identify you based on this certificate, you need to add the fingerprint to your account.
94 If you are not identified with NickServ, then do so now. See
`/msg nickserv help identify` if needed.
96 Afterwards you can add the fingerprint with the
`CERT ADD` command:
98 /msg NickServ CERT ADD f3a1aad46ca88e180c25c9c7021a4b3a
100 Nickserv will message back saying that the fingerprint was added.
101 You can now use it to identify via CertFP or SASL EXTERNAL.
102 Please refer to your client documentation on how to do so.
projects / irc / freenode / web-7.0.git / blob