Help Center

Get answers for the most common questions

Our CertFP feature allows you to authenticate to your account (on IRC) using a TLS certificate.

Creating a self-signed certificate

If you don't already have a TLS certificate, you'll need to create one. For the purpose of this document, we will be using OpenSSL which should be available on most Linux and BSD distributions. There are ports for other platforms, including Windows.

We'll generate our new certificate and key using the openssl command, like so:

% openssl req -nodes -newkey rsa:2048 -keyout mynick.key -x509 -days 365 -out mynick.cer
Generating a 2048 bit RSA private key
writing new private key to 'mynick.key'
Country Name (2 letter code) [AU]:US 
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Los Angeles
Organization Name (eg, company) [Internet Widgets Pty Ltd.]
Organizational Unit Name (eg, section) []:IRC
Common Name (eg, YOUR name) []:John Doe
Email Address []

It does not matter what you specify for the fields above, so you may do so however you wish. Now you have your certificate key (mynick.key) and self-signed certificate (mynick.cer). Let's protect the key by using the chmod command:

% chmod 400 mynick.key

Most clients will allow you combine the certificate and key together into a single PEM file. Remember to also protect this file, as it now includes your private key.

% cat mynick.cer mynick.key > mynick.pem
% chmod 400 mynick.pem

Connecting to DareNET using your certificate

We've created guides for configuring a TLS certificate for the following clients:

Adding your fingerprint to N

If you've done everything right, you should be connected to DareNET using TLS with your certificate. To allow N to automatically authenticate you based on this certificate, you need to associate it with your account. To do this, use the ADDCERT command:

-N- Certificate fingerprint E2D3D7E10E0BC584CB65D49CF7A0FC2AD5C48BF3 added.

N will reply back letting you know that your fingerprint was added. Now the only thing left is to reconnect to the server to test it out! NOTE: you must connect using a nickname registered to your account for N to automatically authenticate you using your certificate. You may get around this requirement by using login-on-connect (discussed below).

12:10 -!- Irssi: Disconnecting from server [Reconnecting]
12:10 -!- Irssi: Connecting to [IP ADDRESS] port 6697
12:10 ! Connected securely via TLSv1.2 DHE-RSA-AES256-GCM-SHA384-256

-N- You are connected using SSL and have provided a matching client certificate
-N- for account YourAccount. You have been automatically logged in.
-N- Last account login: [TIME] ago at this Host/IP ([HOST]) [0 failed login attempts since last login].
YourAccount.user.darenet is now your hidden host

That's it, congratulations! You now have automatic authentication via your certificate fingerprint.

Using login-on-connect with CertFP

The login-on-connect method allows you to automatically authenticate using CertFP but without having to use a nickname registered to your account. To set this up, you use the same exact method descrbed in the Login-on-Connect guide; however, you may simple use '.' (or any other bogus password) as the password argument.


rather than

Should you still need assistance, stop by #Help on IRC.