SSL Certificates can be used by your IRC client as a form of identification. The certificate fingerprint will be unique and will remain the same no matter what client or host you are using. This is useful for identification to people who may have a dynamic IP address. Certain things like NickServ, OperServ, and other bots can use certificate fingerprints as a form of passwordless authentication. Also, please note that in order to use an SSL certificate, you have to connect to the IRC using SSL aswell.
Create an SSL Certificate
Linux
Open your terminal and issue the following command:openssl req -x509 -new -newkey rsa:4096 -sha256 -days 3650 -nodes -out nick.pem -keyout nick.pem
Make sure to
chmod 400 nick.pem so that only you can read that file.
Windows
- Download & Install OpenSSL
- Open command promt
cd C:\OpenSSL\binOpenSSLreq -newkey rsa:2048 -days 3650 -x509 -keyout irc.key -out irc.crt -nodes- Hit Ctrl+C to exit out of the OpenSSL program.
copy irc.cer+irc.key <nick>.pem
NickServ Usage
Once you setup your client to use your certificate, you can then add it to your NickServ account.Identify to your nick with
/NickServ identify <nick> <password>, and then do /NickServ CERT ADD.
Note: This will add the fingerprint of the certificate you are using to connect to your NickServ account.
Once you have your fingerprint added to your NickServ account, you no longer need to send a
/NickServ identify command. You will automatically be identified upon connection, so as long as you connect with a client certificate thats fingerprint matches the one added to your NickServ account.
Client Usage
AndroIRC
- In order to use your certificate in AndroIRC, you'll need to convert it to the PKCS12 format.
- openssl pkcs12 -in <nick>.pem -export <nick>.pfx
- Place your certificate file in the AndroIRC/certs/ directory.
- Edit the settings for your IRC network in AndroIRC and check the ‘Use SSL certificate’ option, and edit the ‘SSL certificate filename’ to match the name of your certificate file. If you have set a password for your certificate, enter it in the ‘SSL certificate password’ option. Be sure that Use secured connection is checked before trying to use an SSL certificate.
HexChat / XChat
- HexChat uses the pem file that corresponds with the name of the network under Network list.
- Place your certificate file in the ~/.config/hexchat/certs/<network_name>.pem directory.
- For Windows users, place your certificate in the %APPDATA%\HexChat\certs\<network_name>.pem directory. (The file must be named client.pem)
- Edit the settings for your network and check the ‘Use SSL for all servers on this network’ option and the ‘Accept invalid SSL certificates’ option.
- Note: The same settings apply for XChat except the cert directory is in ~/.xchat2/ for Linux and in %APPDATA%\Roaming\X-Chat 2 for Windows.
irssi
- Place your certificate file in the ~/.irssi/certs/ directory.
- /server add -ssl -ssl_cert ~/.irssi/certs/<nick>.pem -network <network_name> <network_address> <ssl_port>
mIRC
- Options Menu -> Connect -> Options
- Click on the SSL button.
- Click on the empty box below ‘Private Key File’, navigate to where you placed your nick.pem file and select it.
- Do the same for ‘Certificate Chain File’.
WeeChat
- Place your certificate file in the ~/.weechat/certs/ directory.
- /set irc.server.<network_name>.ssl on
- /set irc.server.<network_name>.ssl_cert %h/certs/<nick>.pem
- /set irc.server.<network_name>.ssl_verify off
ZNC
- Place your certificate file in the ~/.znc/users/<user>/moddata/cert/<nick>.pem directory.
- /znc LoadMod cert
- /znc LoadMod certauth
- /msg *certauth add
- You can now connect without a passord by sending "username/network:" to the ZNC server.