Our CertFP feature allows you to authenticate to your account (on IRC) using a SSL client certificate.
If you don't already have an SSL certificate, you'll need to create one. For the purpose of this document, we will be using OpenSSL which should be available on most Linux and BSD distributions. There are ports for other platforms, including Windows.
We'll generate our new certificate and key using the openssl command, like so:
% openssl req -nodes -newkey rsa:2048 -keyout mynick.key -x509 -days 365 -out mynick.cer Generating a 2048 bit RSA private key writing new private key to 'mynick.key' ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) :Los Angeles Organization Name (eg, company) [Internet Widgets Pty Ltd.] Organizational Unit Name (eg, section) :IRC Common Name (eg, YOUR name) :John Doe Email Address :firstname.lastname@example.org
It does not matter what you specify for the fields above, so you may do so however you wish. Now you have your certificate key (mynick.key) and self-signed certificate (mynick.cer). Let's protect the key by using the chmod command:
% chmod 400 mynick.key
Most clients will allow you combine the certificate and key together into a single PEM file. Remember to also protect this file, as it now includes your private key.
% cat mynick.cer mynick.key > mynick.pem % chmod 400 mynick.pem
We've created guides for configuring a SSL client certificate for the following clients:
If you've done everything right, you should be connected to DareNET using SSL with a client certificate. To allow N to automatically authenticate you based on this certificate, you need to associate it with your account. To do this, use the ADDCERT command:
/msg N ADDCERT -N- Certificate fingerprint E2D3D7E10E0BC584CB65D49CF7A0FC2AD5C48BF3 added.
N will reply back letting you know that your CertFP was added. Now the only thing left is to reconnect to the server to test it out! NOTE: you must connect using a nickname registered to your account for N to automatically authenticate you using your CertFP. You may get around this requirement by using login-on-connect (discussed below).
/reconnect 12:10 -!- Irssi: Disconnecting from server irc.darenet.org: [Reconnecting] 12:10 -!- Irssi: Connecting to irc.darenet.org [IP ADDRESS] port 6697 12:10 !irc.darenet.org Connected securely via TLSv1-AES256-SHA-256bits ... -N- You are connected using SSL and have provided a matching client certificate -N- for account YourAccount. You have been automatically logged in. -N- Last account login: [TIME] ago at this Host/IP ([HOST]) [0 failed login attempts since last login]. YourAccount.user.darenet is now your hidden host
That's it, congratulations! You now have automatic authentication via SSL and certificate fingerprints.
The login-on-connect method allows you to automatically authenticate using CertFP but without having to use a nickname registered to your account. To set this up, you use the same exact method descrbed in the Login-on-Connect guide; however, you may simple use '.' (or any other bogus password) as the password argument.