content/kb/using/nickcerts.md

   1 Title: NickServ and certificates
   2 Slug: certfp
   3 ---
   4
   5 You can add a certificate fingerprint to your NickServ account in order to identify via CertFP or via SASL external.
   6 In order to do so, you need an IRC client which supports SSL with a client certificate.
   7
   8 Creating a self-signed certificate
   9 ==================================
  10
  11 First you need generate a self-signed certificate. We will be using OpenSSL which should be available for most unix-like operating systems and also via ports to other platforms, such as Microsoft Windows.
  12
  13 To generate a certificate and key, the `openssl` command can be used with the 'req' option.
  14
  15     openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -out freenode.pem -keyout freenode.pem
  16
  17 Fill out the fields as you wish, it does not matter whether you put in correct address information or not.
  18
  19 Note that the resulting file should be placed on secure storage, with correct permissions
  20 (e.g. `chmod 400` for on unix like systems) and not given to third parties.
  21 You can also protect your key with a password if your client can handle that.
  22
  23 If you want to already perform the steps on adding the information to your NickServ account,
  24 which are described at the end of this article, you need to get the fingerprint. The command
  25
  26     openssl x509 -in .irssi/certs/freenode.pem -outform der | sha1sum | cut -d' ' -f1
  27
  28 will list the fingerprint so you can write it down or copy it.
  29
  30
  31 Connecting to freenode with your certificate
  32 ============================================
  33
  34 How you have to add the certificate depends on your client.
  35 If the one you are using is not listed here yet, please consult your client's documentation.
  36 Documentation for various clients is also available on the website of our friends at
  37 [OFTC<i class="fa fa-external-link" aria-hidden="true"></i>](https://www.oftc.net/NickServ/CertFP/),
  38 most of it can be adopted to freenode by just changing the server address.
  39 We are also open to pull requests to add new clients.
  40
  41 irssi
  42 -----
  43
  44 Move the certificates you created above to ~/.irssi/certs
  45
  46     mkdir ~/.irssi/certs
  47     mv nick.pem ~/.irssi/certs
  48
  49 Now remove the current freenode server(s) and re-add it with the SSL flag,
  50 using your newly generated certificate. Note that these commands are just examples,
  51 you have to adapt them to your current networks and servers.
  52
  53     /server remove chat.freenode.net
  54     /network add freenode
  55     /server add -auto -ssl -ssl_cert ~/.irssi/certs/nick.pem -ssl_verify -network freenode chat.freenode.net 6697
  56
  57 Also if you plan to use Tor and add the hidden service instead, -ssl_verify has to be omitted as the certificate
  58 won't match the hidden service.
  59
  60 weechat
  61 -------
  62
  63 Move the certificates you created above to ~/.weechat/certs
  64
  65     mkdir ~/.weechat/certs
  66     mv nick.pem ~/.weechat/certs
  67
  68 Now disconnect and remove the current freenode server(s).
  69 Re-add it with the SSL flag, using your newly generated certificate.
  70 Note that these commands are just examples,
  71 you have to adapt them to your current servers.
  72
  73     /disconnect freenode
  74     /server del freenode
  75     /server add freenode chat.freenode.net/6697 -ssl -ssl_verify -autoconnect
  76     /set irc.server.freenode.ssl_cert %h/certs/nick.pem
  77
  78 and then reconnect to freenode.
  79
  80 znc
  81 ---
  82
  83 znc provides an official documentation in
  84 [their wiki<i class="fa fa-external-link" aria-hidden="true"></i>](http://en.znc.in/wiki/Cert)
  85
  86
  87 Add your fingerprint to NickServ
  88 ================================
  89
  90 If you added the certificate to your client you can now connect to freenode.
  91 You can then check whether you have a fingerprint by using `whois` on yourself:
  92
  93     /whois YourOwnNick
  94     ...
  95     YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a
  96     ...
  97
  98 This means that your certificate is working.
  99
 100 To allow NickServ to identify you based on this certificate, you need to add the fingerprint to your account.
 101 If you are not identified with NickServ, then do so now. See `/msg nickserv help identify` if needed.
 102
 103 Afterwards you can add the fingerprint with the `CERT ADD` command.
 104 If you are connected using the certificate and the correct fingerprint shows in `whois`, you can just issue
 105
 106     /msg NickServ CERT ADD
 107
 108 Otherwise you have to specify the fingerprint as parameter
 109
 110     /msg NickServ CERT ADD f3a1aad46ca88e180c25c9c7021a4b3a
 111
 112 Nickserv will message back saying that the fingerprint was added.
 113 You can now use it to identify via CertFP or SASL EXTERNAL.
 114 Please refer to your client documentation on how to do so.