For most clients this should be sufficient. If not, you can download the required intermediate cert from [Gandi](http://crt.gandi.net/GandiStandardSSLCA.crt)
and the root cert from [Instant SSL](http://www.instantssl.com/ssl-certificate-support/cert_installation/UTN-USERFirst-Hardware.crt).
-Client SSL certificates are also supported, and may be used for identification to services via [CertFP](#XXX). If you have connected with a client certificate, _has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195_ (showing
+Client SSL certificates are also supported, and may be used for identification to services. See [this kb article](kb/using/nickcerts). If you have connected with a client certificate, _has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195_ (showing
your certificate's SHA1 fingerprint in place of _f1ecf46..._) will appear in WHOIS (a 276 numeric).
+
+## Accessing freenode Via Tor
+
+freenode is also reachable via [Tor<i class="fa fa-external-link" aria-hidden="true"></i>](https://www.torproject.org/), bound to some restrictions. You can't directly connect to chat.freenode.net via Tor
+but rather have to use the following hidden service as server address:
+
+ freenodeok2gncmy.onion
+
+The hidden service requires SASL authentication. In addition, due to
+the abuse that led Tor access to be disabled in the past, we have
+unfortunately had to add another couple of restrictions:
+
+- You must log in using SASL's `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more
+ below)
+- If you log out while connected via Tor, you will not be able to log in without
+ reconnecting.
+
+If you haven't set up the requisite SASL authentication, we recommend SASL
+EXTERNAL. You'll need to generate a client certificate and add that to your
+NickServ account. This is documented [in our knowledge base](kb/using/nickcerts).
+Note that due to the SSL certificates not matching the hidden service,
+you might have to disable the verification in your client.
+
+You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack
+comprehensive documentation for this, but it's a feature in most modern
+clients, so please check their docs for instructions for now.
--- /dev/null
+Title: NickServ and certificates
+Slug: nickcerts
+---
+
+You can add a certificate fingerprint to your NickServ account in order to identify via CertFP or via SASL external.
+In order to do so, you need an IRC client which supports SSL with a client certificate.
+
+Creating a self-signed certificate
+==================================
+
+First you need generate a self-signed certificate. We will be using OpenSSL which should be available for most unix-like operating systems and also via ports to other platforms, such as Microsoft Windows.
+
+To generate a certificate and key, the `openssl` command can be used with the 'req' option.
+
+ openssl req -nodes -newkey rsa:2048 -keyout nick.key -x509 -days 365 -out nick.crt
+
+Fill out the fields as you wish, it does not matter whether you put in correct address information or not.
+
+ cat nick.crt nick.key > nick.pem
+
+Note that these files should be placed on secure storage, with correct permissions
+(e.g. `chmod 400` for the .key and .pem file on unix like systems) and not given to third parties.
+You can also protect your key with a password if your client can handle that.
+
+
+Connecting to freenode with your certificate
+============================================
+
+How you have to add the certificate depends on your client.
+If the one you are using is not listed here yet, please consult your client's documentation.
+Documentation for various clients is also available on the website of our friends at
+[OFTC<i class="fa fa-external-link" aria-hidden="true"></i>](https://www.oftc.net/NickServ/CertFP/),
+most of it can be adopted to freenode by just changing the server address.
+We are also open to pull requests to add new clients.
+
+irssi
+-----
+
+Move the certificates you created above to ~/.irssi/certs
+
+ mkdir ~/.irssi/certs
+ mv nick.{key,crt,pem} ~/.irssi/certs
+
+Now remove the current freenode server(s) and re-add it with the SSL flag,
+using your newly generated certificate. Note that these commands are just examples,
+you have to adapt them to your current networks and servers.
+
+ /server remove chat.freenode.net
+ /network add freenode
+ /server add -auto -ssl -ssl_cert ~/.irssi/certs/nick.pem -ssl_verify -network freenode chat.freenode.net 6697
+
+Also if you plan to use Tor and add the hidden service instead, -ssl_verify has to be omitted as the certificate
+won't match the hidden service.
+
+weechat
+-------
+
+Move the certificates you created above to ~/.weechat/certs
+
+ mkdir ~/.weechat/certs
+ mv nick.{key,crt,pem} ~/.weechat/certs
+
+Now disconnect and remove the current freenode server(s).
+Re-add it with the SSL flag, using your newly generated certificate.
+
+ /disconnect freenode
+ /server del freenode
+ /server add freenode chat.freenode.net/6697 -ssl -ssl_verify -autoconnect
+ /set irc.server.freenode.ssl_cert %h/certs/nick.pem
+
+and then reconnect to freenode.
+
+znc
+---
+
+znc provides an official documentation in
+[their wiki<i class="fa fa-external-link" aria-hidden="true"></i>](http://en.znc.in/wiki/Cert)
+
+
+Add your fingerprint to NickServ
+================================
+
+If you added the certificate to your client you can now connect to freenode.
+You can then check whether you have a fingerprint by using `whois` on yourself:
+
+ /whois YourOwnNick
+ ...
+ YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a
+ ...
+
+This means that your certificate is working.
+
+To allow NickServ to identify you based on this certificate, you need to add the fingerprint to your account.
+If you are not identified with NickServ, then do so now. See `/msg nickserv help identify` if needed.
+
+Afterwards you can add the fingerprint with the `CERT ADD` command:
+
+ /msg NickServ CERT ADD f3a1aad46ca88e180c25c9c7021a4b3a
+
+Nickserv will message back saying that the fingerprint was added.
+You can now use it to identify via CertFP or SASL EXTERNAL.
+Please refer to your client documentation on how to do so.