The CertFP feature is an alternative to password-based authentication, allowing you to connect to DareNET using a TLS certificate and be automatically authenticated to your account.
For the purpose of this document we will be using we will be using the
To generate your new certificate and key, use the following command:
openssl req -nodes -new -newkey rsa:4096 -sha256 -days 365 -keyout darenet.pem -out
You will be prompted to enter various pieces of information. For the purpose of using this certificate to authenticate on DareNET, it does not matter what you specify for the fields, so you may do so however you wish. Keep in mind that the
darenet.pem file will have the same access to your account as your password does, so take care in securing it.
We've created guides for configuring a TLS certificate for the following clients:
You'll need to convert darenet.pem to PKCS12:
openssl pkcs12 -export -out darenet.pfx -in darenet.pem
- Go to the Certificate Manager; "Preferences" -> "Advanced Options" -> "Encryption"
- Select "View Certificates", from there you can import the darenet.pfx you just generated
- Connect to DareNET using SSL. ChatZilla will ask if you want to use the certificate authenticate. Say yes
You will need to move darenet.pem to the HexChat config directory (
%appdata%\HexChat\certs). The filename must be the network name, so in our case DareNET.pem. For example:
mv darenet.pem ~/.config/hexchat/certs/DareNET.pem
Now, start up HexChat and perform the following steps:
- Go to the HexChat menu and select "Network list"
- Find DareNET in the list of networks and select edit (if it's not there, add it)
- You may keep irc.darenet.org as the server, but make sure your port is +6697 or +9999
- Check "Use SSL for all the servers on this network" and "Accept invalid SSL certificate"
- Select "Close" and then connect
Move the darenet.pem file you created to ~/.irssi/certs
mkdir ~/.irssi/certs mv darenet.pem ~/.irssi/certs
Now, add a network for DareNET, named darenet; although, you could name it anything, just remember, the name is case-sensitive.
/network add darenet
While you can add multiple servers for each network in irssi, we only need to add the pool address:
/server add -auto -ssl -ssl_cert ~/.irssi/certs/darenet.pem -network darenet irc.darenet.org 6687
Now you can
- Go to "Settings" -> "Configure KvIRC"
- Go to "Connection" -> "advanced"
- On the "SSL" tab, check "Use ssl certificate" and "Use SSL private key". Point both to the darenet.pem file you created
- Change your connection settings and enable the SSL option. Remember to use ports 6697 or 9999
- Open the mIRC configuration options window, "Menu" -> "Connect" -> "Options"
- Select the SSL button
- Select the button below Private key file, find the darenet.pem file you created and select it
- Do the same for Certificate chain file
Move the darenet.pem file you created to your ~/.weechat/certs directory:
mv darenet.pem ~/.weechat/certs
Now, if you have already connected, disconnect and remove the current DareNET server(s). Re-add it using the following commands:
/server add darenet irc.darenet.org/6697
/set irc.server.darenet.ssl on
/set irc.server.darenet.ssl_cert %h/certs/darenet.pem
/set irc.server.darenet.ssl_dhkey_size 2048
and then reconnect to DareNET
- Go to quassel and click "Settings" -> "Configure Quassel" (or press F7)
- Click "Identities" in the left sidebar and choose the identity you want to associate your certificate with
- In the "Advanced" tab, under the "Use SSL Certificate" section, load the darenet.pem file you created
You can check that it's setup correctly by typing
/msg *cert info. If you receive "You have a certificate in: ", then you're done.
You can now reconnect using your certificate,
/msg *status connect
Please refer to ZNC's official documentation.
If you've done everything right, you should be connected to DareNET using TLS with your certificate. To allow N to automatically authenticate you based on this certificate, you need to associate it with your account. To do this, use the ADDCERT command:
/msg N ADDCERT -N- Certificate fingerprint E2D3D7E10E0BC584CB65D49CF7A0FC2AD5C48BF3 added.
N will reply back letting you know that your fingerprint was added. Now the only thing left is to reconnect to the server to test it out! NOTE: you must connect using a nickname registered to your account for N to automatically authenticate you using your certificate. You may get around this requirement by using login-on-connect (discussed below).
/reconnect 12:10 -!- Irssi: Disconnecting from server irc.darenet.org: [Reconnecting] 12:10 -!- Irssi: Connecting to irc.darenet.org [IP ADDRESS] port 6697 12:10 !irc.darenet.org Connected securely via TLSv1.2 DHE-RSA-AES256-GCM-SHA384-256 ... -N- You are connected using SSL and have provided a matching client certificate -N- for account YourAccount. You have been automatically logged in. -N- Last account login: [TIME] ago at this Host/IP ([HOST]) [0 failed login attempts since last login]. YourAccount.user.darenet is now your hidden host
That's it, congratulations! You now have automatic authentication via your certificate fingerprint.
Both the SASL and login-on-connect methods allow you to automatically authenticate using CertFP. With the login-on-connect method, you don't have to use a nickname registered to your account. Unfortunately, most IRC clients overload the nickname field for SASL. For login-on-connect, you'd use the same exact method described in the Login-on-Connect guide; however, you may simple use '.' (or any other bogus password) as the password argument.
For SASL, you'll want to use the EXTERNAL mechanism.