To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.
Cert: Difference between revisions
m fixed the CertFP link |
m Remove dead freenode link. |
||
| (12 intermediate revisions by 7 users not shown) | |||
| Line 1: | Line 1: | ||
{{Core Module}} | {{Core Module}} | ||
This module lets users use their own SSL certificate to connect to a server, such as [https://www.oftc.net/NickServ/CertFP/ CertFP]. | This module lets users use their own SSL client certificate to connect to a server, such as [https://www.oftc.net/NickServ/CertFP/ CertFP]. | ||
You will have to generate an SSL certificate to use with this module. Either place it at | You will have to generate an SSL client certificate to use with this module. Either place it at <code>~/.znc/users/<user>/networks/<network>/moddata/cert/user.pem</code> if you loaded Cert for your network, <code>~/.znc/users/<user>/moddata/cert/user.pem</code> if you loaded cert for your user, or use the web interface to upload the certificate. | ||
You can usually test if Cert is supported by services simply by sending <code>/msg NickServ cert</code>. If you get an error about “Insufficient parameters for CERT,” CertFP is supported. If you get an error about unknown command, or no response at all, it may not supported. While this is a fairly reliable test, it may vary by IRC network, for example [http://rizon.net Rizon] supports Cert but uses the command <code>/msg NickServ access</code> instead. | You can usually test if Cert is supported by services simply by sending <code>/msg NickServ cert</code>. If you get an error about “Insufficient parameters for CERT,” CertFP is supported. If you get an error about unknown command, or no response at all, it may not supported. While this is a fairly reliable test, it may vary by IRC network, for example [http://rizon.net Rizon] supports Cert but uses the command <code>/msg NickServ access</code> instead. | ||
| Line 15: | Line 15: | ||
+---------+-----------+--------------------------------+ | +---------+-----------+--------------------------------+ | ||
| Help | | Generate this output | | | Help | | Generate this output | | ||
| delete | | Delete the current certificate | | | delete | | Delete the current certificate | | ||
| info | | | | | info | | | | ||
+---------+-----------+--------------------------------+ | +---------+-----------+--------------------------------+ | ||
| Line 21: | Line 21: | ||
==Generating a certificate == | ==Generating a certificate == | ||
You can use the following openssl commands to generate a certificate | You can use the following openssl commands to generate a certificate. | ||
These commands will produce a certificate which would expire in 3650 days. You can modify the openssl's arguments to change this. | |||
''user.pem'' is the certificate you will need to add to ZNC. | |||
Based on your compatibility matrix, choose to create a RSA or an ECC key. ECC key are wider supported nowadays. | |||
* For a RSA based certificate, with 4096-bit key length: | |||
<pre># Generate the rsa private key and the certificate embeded in same file for ZNC's YourNickname: | |||
openssl req -nodes -sha512 -newkey rsa:4096 -keyout user.pem -x509 -days 3650 -out user.pem -subj "/CN=YourNickname"</pre> | |||
* For an ECC based certificate, with 256-bit key length: | |||
<pre># Generate the ecc private key: | |||
openssl ecparam -genkey -name prime256v1 -out user.key | |||
# Generate the Certificate Signing Request (CSR) for ZNC's YourNickname: | |||
openssl req -new -sha512 -key user.key -out user.csr -subj "/CN=YourNickname" | |||
# Submit the CSR to a CA or selfsign it yourself with: | |||
openssl req -x509 -sha512 -days 3650 -key user.key -in user.csr -out user.crt | |||
# Embed private key and certificate in same file as requested in many cases: | |||
cat user.crt user.key > user.pem</pre> | |||
''If you are following instructions from [[certauth]], you can stop here. Your certificate is <code>user.pem</code>, and you must tell your client to use it. See [https://libera.chat/guides/certfp https://libera.chat/guides/certfp]'' | |||
==Utilizing the certificate== | |||
This part of the article is written generically, and the instructions might differ from network to network dependent on a myriad of variables. If something doesn't work, consult your network's website and support venues. | |||
Move the cert to the module directory: | |||
mv user.pem ~/.znc/users/<user>/networks/<network>/moddata/cert/ | |||
If you loaded Cert for your user, and not your network: | |||
mv user.pem ~/.znc/users/<user>/moddata/cert/ | |||
Now, connect to (or reconnect to) your network. Some services support adding a fingerprint to your NickServ account without specifying it outright.<br> | |||
On networks that support this, you can do: | |||
/msg NickServ cert add | |||
If the above command did not work, reference <code>/msg NickServ help cert</code> to see if the network you're on allows this.<br> | |||
If <code>/msg NickServ cert add</code> by itself is not supported, you then need to add the fingerprint explicitly. Such as: | |||
/msg NickServ cert add ''fingerprint'' | /msg NickServ cert add ''fingerprint'' | ||
'''''note: Different IRC networks use different fingerprints, for example Libera.chat uses SHA-512. Consult the network you're connecting to for this information.'''''<br> | |||
To get the fingerprint, enter one of the following commands, depending on the network: | |||
openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/' | |||
openssl x509 -sha256 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/' | |||
openssl x509 -sha512 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/' | |||
'''''note: It is also often possible to WHOIS yourself for the fingerprint.''''' | |||
Latest revision as of 19:11, 17 June 2024
 |
This module is a part of ZNC. This module is shipped with ZNC by default. If you have the right "LoadMod" you can activate it with /znc LoadMod certThe code for this module can be found here. |
This module lets users use their own SSL client certificate to connect to a server, such as CertFP.
You will have to generate an SSL client certificate to use with this module. Either place it at ~/.znc/users/<user>/networks/<network>/moddata/cert/user.pem if you loaded Cert for your network, ~/.znc/users/<user>/moddata/cert/user.pem if you loaded cert for your user, or use the web interface to upload the certificate.
You can usually test if Cert is supported by services simply by sending /msg NickServ cert. If you get an error about “Insufficient parameters for CERT,” CertFP is supported. If you get an error about unknown command, or no response at all, it may not supported. While this is a fairly reliable test, it may vary by IRC network, for example Rizon supports Cert but uses the command /msg NickServ access instead.
Arguments
This user/network module takes no arguments.
Read loading modules to learn more about loading modules.
Commands
+---------+-----------+--------------------------------+ | Command | Arguments | Description | +---------+-----------+--------------------------------+ | Help | | Generate this output | | delete | | Delete the current certificate | | info | | | +---------+-----------+--------------------------------+
Generating a certificate
You can use the following openssl commands to generate a certificate.
These commands will produce a certificate which would expire in 3650 days. You can modify the openssl's arguments to change this.
user.pem is the certificate you will need to add to ZNC.
Based on your compatibility matrix, choose to create a RSA or an ECC key. ECC key are wider supported nowadays.
- For a RSA based certificate, with 4096-bit key length:
# Generate the rsa private key and the certificate embeded in same file for ZNC's YourNickname: openssl req -nodes -sha512 -newkey rsa:4096 -keyout user.pem -x509 -days 3650 -out user.pem -subj "/CN=YourNickname"
- For an ECC based certificate, with 256-bit key length:
# Generate the ecc private key: openssl ecparam -genkey -name prime256v1 -out user.key # Generate the Certificate Signing Request (CSR) for ZNC's YourNickname: openssl req -new -sha512 -key user.key -out user.csr -subj "/CN=YourNickname" # Submit the CSR to a CA or selfsign it yourself with: openssl req -x509 -sha512 -days 3650 -key user.key -in user.csr -out user.crt # Embed private key and certificate in same file as requested in many cases: cat user.crt user.key > user.pem
If you are following instructions from certauth, you can stop here. Your certificate is user.pem, and you must tell your client to use it. See https://libera.chat/guides/certfp
Utilizing the certificate
This part of the article is written generically, and the instructions might differ from network to network dependent on a myriad of variables. If something doesn't work, consult your network's website and support venues.
Move the cert to the module directory:
mv user.pem ~/.znc/users/<user>/networks/<network>/moddata/cert/
If you loaded Cert for your user, and not your network:
mv user.pem ~/.znc/users/<user>/moddata/cert/
Now, connect to (or reconnect to) your network. Some services support adding a fingerprint to your NickServ account without specifying it outright.
On networks that support this, you can do:
/msg NickServ cert add
If the above command did not work, reference /msg NickServ help cert to see if the network you're on allows this.
If /msg NickServ cert add by itself is not supported, you then need to add the fingerprint explicitly. Such as:
/msg NickServ cert add fingerprint
note: Different IRC networks use different fingerprints, for example Libera.chat uses SHA-512. Consult the network you're connecting to for this information.
To get the fingerprint, enter one of the following commands, depending on the network:
openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/' openssl x509 -sha256 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/' openssl x509 -sha512 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'
note: It is also often possible to WHOIS yourself for the fingerprint.