CertFP allows clients connected via SSL with a client SSL certificate to authenticate to services using the SHA1 fingerprint of their client SSL certificate. One must have registered with services. If you do not already have an SSL certificate, you will need to create one.
Please follow these steps to set up your nick and configure your client. Check off each step to make sure it’s been done:
- Select a permanent, master nickname. If the nickname you want is registered but has expired, just ask a staffer and in most cases, we will be happy to drop it for you. Please avoid using the name of a community project or trademarked entity, to avoid conflicts. Write down your password and be sure to keep the sheet of paper in a safe place.
- Register your IRC nick:
/msg NickServ REGISTER password email@example.com
Replace password with a secure, unguessable password that you keep secret.
Adding a Fingerprint to NickServ
- Identify to your account, if you haven’t already: /msg NickServ identify account password.
- If you haven’t found your certificate fingerprint yet, use
openssl x509 -sha1 -noout -fingerprint -in mynick.pem | sed -e ‘s/^.*=//;s/://g;y/ABCDEF/abcdef/’
to determine it. Replace mynick.pem with the actual filename of your certificate.If you have connected using your SSL certificate, you will also see the fingerprint in your own WHOIS that looks like:
Yournick has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195
- Use /msg NickServ cert add fingerprint to add your fingerprint. Replace fingerprint with the actual fingerprint.
The next time you connect using your client SSL certificate, you will be automatically identified.
Troubleshooting CertFP Identification
- Are you connected via SSL? You should be connecting to an SSL port 6697. You will see yournick :is using a secure connection.
- Does your client certificate fingerprint show in whois? If you do not see a line in your own whois that looks like yournick :has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195 then it may be a client misconfiguration or your certificate might be expired or invalid.Check your client configuration below.To check your SSL certificate validity, try
openssl verify mycert.pem
If the output is either:mycert.pem: OK
orerror 18 at 0 depth lookup:self signed certificate OK
and the exit status of the command is zero, then the certificate should be okay.
- Is your computer clock on-time, or at least close? If your clock is way off, that may cause problems. Consider running NTP to keep your computer’s clock synchronized.
Configuring Client SSL Certificates
Instructions for configuring a client SSL certificate for some popular clients are below.
If you know of any additions or corrections, or would like to contribute improvements, contact us.
==NOTE!: Address of the IRC server can be replaced by the TOR .onoin.
- You can follow any responses to this entry through the RSS 2.0 feed.