1 Title: NickServ and certificates
5 You can add a certificate fingerprint to your NickServ account in order to identify via CertFP or via SASL external.
6 In order to do so, you need an IRC client which supports SSL with a client certificate.
8 Creating a self-signed certificate
9 ==================================
11 First you need generate a self-signed certificate. We will be using OpenSSL which should be available for most unix-like operating systems and also via ports to other platforms, such as Microsoft Windows.
13 To generate a certificate and key, the
`openssl` command can be used with the 'req' option.
15 openssl req -x509 -new -newkey rsa:
4096 -sha256 -days
1000 -out freenode.pem -keyout freenode.pem
17 Fill out the fields as you wish, it does not matter whether you put in correct address information or not.
19 Note that the resulting file should be placed on secure storage, with correct permissions
20 (e.g.
`chmod 400` for on unix like systems) and not given to third parties.
21 You can also protect your key with a password if your client can handle that.
23 If you want to already perform the steps on adding the information to your NickServ account,
24 which are described at the end of this article, you need to get the fingerprint. The command
26 openssl x509 -in .irssi/certs/freenode.pem -outform der | sha1sum | cut -d' ' -f1
28 will list the fingerprint so you can write it down or copy it.
31 Connecting to freenode with your certificate
32 ============================================
34 How you have to add the certificate depends on your client.
35 If the one you are using is not listed here yet, please consult your client's documentation.
36 Documentation for various clients is also available on the website of our friends at
37 [OFTC<i class="fa fa-external-link" aria-hidden="true"></i>](https://www.oftc.net/NickServ/CertFP/),
38 most of it can be adopted to freenode by just changing the server address.
39 We are also open to pull requests to add new clients.
44 Move the certificates you created above to ~/.irssi/certs
47 mv nick.pem ~/.irssi/certs
49 Now remove the current freenode server(s) and re-add it with the SSL flag,
50 using your newly generated certificate. Note that these commands are just examples,
51 you have to adapt them to your current networks and servers.
53 /server remove chat.freenode.net
55 /server add -auto -ssl -ssl_cert ~/.irssi/certs/nick.pem -ssl_verify -network freenode chat.freenode.net
6697
57 Also if you plan to use Tor and add the hidden service instead, -ssl_verify has to be omitted as the certificate
58 won't match the hidden service.
63 Move the certificates you created above to ~/.weechat/certs
65 mkdir ~/.weechat/certs
66 mv nick.pem ~/.weechat/certs
68 Now disconnect and remove the current freenode server(s).
69 Re-add it with the SSL flag, using your newly generated certificate.
70 Note that these commands are just examples,
71 you have to adapt them to your current servers.
75 /server add freenode chat.freenode.net/
6697 -ssl -ssl_verify -autoconnect
76 /set irc.server.freenode.ssl_cert %h/certs/nick.pem
78 and then reconnect to freenode.
83 znc provides an official documentation in
84 [their wiki<i class="fa fa-external-link" aria-hidden="true"></i>](http://en.znc.in/wiki/Cert)
87 Add your fingerprint to NickServ
88 ================================
90 If you added the certificate to your client you can now connect to freenode.
91 You can then check whether you have a fingerprint by using
`whois` on yourself:
95 YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a
98 This means that your certificate is working.
100 To allow NickServ to identify you based on this certificate, you need to add the fingerprint to your account.
101 If you are not identified with NickServ, then do so now. See
`/msg nickserv help identify` if needed.
103 Afterwards you can add the fingerprint with the
`CERT ADD` command.
104 If you are connected using the certificate and the correct fingerprint shows in
`whois`, you can just issue
106 /msg NickServ CERT ADD
108 Otherwise you have to specify the fingerprint as parameter
110 /msg NickServ CERT ADD f3a1aad46ca88e180c25c9c7021a4b3a
112 Nickserv will message back saying that the fingerprint was added.
113 You can now use it to identify via CertFP or SASL EXTERNAL.
114 Please refer to your client documentation on how to do so.