CertFP authentication

Authenticate to your account using a TLS certificate.

The CertFP feature is an alternative to password-based authentication, allowing you to connect to DareNET using a TLS certificate and be automatically authenticated to your account.

Creating a self-signed certificate

For the purpose of this document we will be using we will be using the openssl utility. 

To generate your new certificate and key, use the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout darenet.pem -out darenet.pem

You will be prompted to enter various pieces of information. For the purpose of using this certificate to authenticate on DareNET, it does not matter what you specify for the fields, so you may do so however you wish. Keep in mind that the darenet.pem file will have the same access to your account as your password does, so take care in securing it.

Connecting to DareNET using your certificate

We've created guides for configuring a TLS certificate for the following clients:


You'll need to convert darenet.pem to PKCS12:

openssl pkcs12 -export -out darenet.pfx -in darenet.pem
  1. Go to the Certificate Manager; "Preferences" -> "Advanced Options" -> "Encryption"
  2. Select "View Certificates", from there you can import the darenet.pfx you just generated
  3. Connect to DareNET using SSL. ChatZilla will ask if you want to use the certificate authenticate. Say yes

You will need to move darenet.pem to the HexChat config directory (~/.config/hexchat/certs or %appdata%\HexChat\certs). For example:

mv darenet.pem ~/.config/hexchat/certs/client.pem

Now, start up HexChat and perform the following steps:

  1. Go to the HexChat menu and select "Network list"
  2. Find DareNET in the list of networks and select edit (if it's not there, add it)
  3. You may keep irc.darenet.org as the server, but make sure your port is +6697 or +9999
  4. Check "Use SSL for all the servers on this network"
  5. Select "Close" and then connect

Move the darenet.pem file you created to ~/.irssi/certs

mkdir ~/.irssi/certs
mv darenet.pem ~/.irssi/certs

Now, add a network for DareNET, named darenet; although, you could name it anything, just remember, the name is case-sensitive.

/network add darenet

While you can add multiple servers for each network in irssi, we only need to add the pool address:

/server add -auto -ssl -ssl_cert ~/.irssi/certs/darenet.pem -network darenet irc.darenet.org 6687

Now you can /connect darenet.

  1. Go to "Settings" -> "Configure KvIRC"
  2. Go to "Connection" -> "advanced"
  3. On the "SSL" tab, check "Use ssl certificate" and "Use SSL private key". Point both to the darenet.pem file you created
  4. Change your connection settings and enable the SSL option. Remember to use ports 6697 or 9999
  1. Open the mIRC configuration options window, "Menu" -> "Connect" -> "Options"
  2. Select the SSL button
  3. Select the button below Private key file, find the darenet.pem file you created and select it
  4. Do the same for Certificate chain file

Move the darenet.pem file you created to your ~/.weechat/certs directory:

mv darenet.pem ~/.weechat/certs

Now, if you have already connected, disconnect and remove the current DareNET server(s). Re-add it using the following commands:

  1. /server add darenet irc.darenet.org/6697
  2. /set irc.server.darenet.ssl on
  3. /set irc.server.darenet.ssl_cert %h/certs/darenet.pem
  4. /set irc.server.darenet.ssl_dhkey_size 2048

and then reconnect to DareNET

/connect darenet

  1. Go to quassel and click "Settings" -> "Configure Quassel" (or press F7)
  2. Click "Identities" in the left sidebar and choose the identity you want to associate your certificate with
  3. In the "Advanced" tab, under the "Use SSL Certificate" section, load the darenet.pem file you created

You can check that it's setup correctly by typing /msg *cert info. If you receive "You have a certificate in: ", then you're done.

You can now reconnect using your certificate, /msg *status connect


Please refer to ZNC's official documentation.

Adding your fingerprint to N

If you've done everything right, you should be connected to DareNET using TLS with your certificate. To allow N to automatically authenticate you based on this certificate, you need to associate it with your account. To do this, use the ADDCERT command:

-N- Certificate fingerprint E2D3D7E10E0BC584CB65D49CF7A0FC2AD5C48BF3 added.

N will reply back letting you know that your fingerprint was added. Now the only thing left is to reconnect to the server to test it out! NOTE: you must connect using a nickname registered to your account for N to automatically authenticate you using your certificate. You may get around this requirement by using login-on-connect (discussed below).

12:10 -!- Irssi: Disconnecting from server irc.darenet.org: [Reconnecting]
12:10 -!- Irssi: Connecting to irc.darenet.org [IP ADDRESS] port 6697
12:10 !irc.darenet.org Connected securely via TLSv1.2 DHE-RSA-AES256-GCM-SHA384-256

-N- You are connected using SSL and have provided a matching client certificate
-N- for account YourAccount. You have been automatically logged in.
-N- Last account login: [TIME] ago at this Host/IP ([HOST]) [0 failed login attempts since last login].
YourAccount.user.darenet is now your hidden host

That's it, congratulations! You now have automatic authentication via your certificate fingerprint.

Using SASL or login-on-connect with CertFP

Both the SASL and login-on-connect methods allow you to automatically authenticate using CertFP. With the login-on-connect method, you don't have to use a nickname registered to your account. Unfortunately, many IRC clients overload the nickname field for SASL, and you'll need to use your account name in its place. For login-on-connect, you'd use the same exact method described in the Login-on-Connect guide; however, you may simple use '.' (or any other bogus password) as the password argument.


rather than


For SASL, you'll want to use the EXTERNAL mechanism.

Should you still need assistance, stop by #Help on IRC.