Use SSL Client Certificates to Authenticate to Services on IRC

This guide assumes:

  1. That you have a basic understanding of your operating systems command line/prompt.
  2. That you know how to display hidden files & directories on your file manager.
  3. That you are using HexChat as your IRC client.

These steps were tested on Linux & Windows 8.1 Pro, if something does not work for you on your OS please contact me to let me know & I will update this guide accordingly.


First, we will need to open up the command prompt or terminal emulator of your choice (depending on which operating system you are on) and navigate to our HexChat configuration directory.

On Windows this is usually

C:\Users\<span style="text-decoration: underline;"><em>yourusername</em></span>\AppData\Roaming\HexChat\
and on Linux it’s usually
/home/<span style="text-decoration: underline;"><em>yourusername</em></span>/.config/hexchat/.<br />

We will need to create the certs directory, this is where HexChat looks for client authentication certificates.


cd $HOME/.config/hexchat/
mkdir certs
cd certs


cd %APPDATA%\HexChat
mkdir certs
cd certs

Generate Your Certificates

If you are going to use self-signed SSL certificates then you need to generate your root certificates first.

If you are planning on using certificates provided by a certificate authority, such as StartSSL, then you may skip this step and use the certificate that you have generated instead.

When asked for the common name, this should be your name (or nick name).

Generate Root Certificates

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Generate Client Key & Signing Request

openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr

Sign Your Client Certificate

openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Decrypt your Private Key & Create Combined PEM

openssl rsa -in client.key -out client.priv


cat client.crt ca.crt client.priv > client.pem


type client.crt ca.crt client.priv > client.pem

At this point, if you want to, you can move or delete all of the files we have created except for client.pem.

HexChat network configuration - SSL Client AuthenticationSetup HexChat

Now all you need to do is add your network into your Network List & make sure you are connecting to the server with SSL.

Make sure that your username is set as your primary nickname and that your login method is set to “SASL EXTERNAL (cert)”

Copyright©2011 - 2018, Robert Whitney; All rights reserved.
Aeon Address: WmtnQAoEJsfbcjyMJLmfW8SJ3j5VCGGjX4k3hHrc4XbhVcz6dxifHs65h2w3y5gq8Qf4D4tgzb6VxEtggSq5hR8s1CzN1cLeK