Creating an SSL Certificate

A certificate signed by a trusted root CA will work, but is unnecessary. A self-signed certificate can be created for free, with OpenSSL. If a client certificate is self-signed, ircd-seven will only verify that it is not expired. If the client certificate is not self-signed, then it must verify completely, as openssl verify would do.

These instructions assume a Linux or Unix-like shell with openssl installed. Creating a self-signed certificate on Windows is possible through IIS, the SSL Diagnostics Tool, the makecert tool included with Visual Studio, or with the selfcert tool that is part of "Digital Signature for VBA projects" in Microsoft Office. Nobody has contributed documentation to us for these tools.

    To create a new self-signed certificate:
  1. Open a new shell, and ensure newly-created files won't be readable by anybody else:

    umask 077
  2. Use openssl to create a new RSA certificate. We suggest a 2048-bit certificate, but 1024, 4096, or other lengths may also work if your IRC client supports them. If you do not want to protect your certificate with a passphrase, add -nodes to the options below. Not having a passphrase means anybody with access to read your certificate file will be able to identify as you. With a passphrase, both access to the certificate file and knowledge of the passphrase would be required. The certificate generated will expire in two years. If you want a longer/shorter time, you can change the number after -days.

    openssl req -newkey rsa:2048 -days 730 -x509 -keyout mynick.key -out mynick.cert
  3. OpenSSL will ask for a passphrase (unless you added -nodes), and depending on its configuration, perhaps a number of other attributes. The values you enter are not important to the IRC server.

    Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:Saskatchewan Locality Name (eg, city) []:Saskatoon Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []:Information Logistics Common Name (eg, YOUR name) []:Nifflewhim Bunderluff Email Address []:[email protected]
  4. Now you have your certificate key and your self-signed certificate. For most IRC clients, you can combine the certificate and key together into a single PEM file.

    cat mynick.cert mynick.key > mynick.pem
  5. NickServ will need to know your certificate's fingerprint later, so save the output of this command temporarily:

    openssl x509 -sha1 -noout -fingerprint -in mynick.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'

    The output will look like: f1ecf46714198533cda14cccc76e5d7114be4195. (The | sed ... part is optional and just removes the colons and other irrelevant parts from the openssl output.)

  6. If your IRC client supports using the PEM file, you can delete the cert and key files.

    rm mynick.cert mynick.key
  7. Move the PEM file (and/or cert and key files) to the appropriate directory for your IRC client. Double-check that the permissions are restricted so only you can read the file. You can close the shell and configure NickServ and your client.

If you know of any additions or corrections, or would like to contribute improvements, contact us at the email below.

Copyright © 2002 – 2012 by freenode Creative Commons License
Comments to email address: support at freenode dot net