Use SSL Client Certificates to Authenticate to Services on IRC
This guide assumes:
- That you have a basic understanding of your operating systems command line/prompt.
- That you know how to display hidden files & directories on your file manager.
- That you are using HexChat as your IRC client.
These steps were tested on Linux & Windows 8.1 Pro, if something does not work for you on your OS please contact me to let me know & I will update this guide accordingly.
First, we will need to open up the command prompt or terminal emulator of your choice (depending on which operating system you are on) and navigate to our HexChat configuration directory.
On Windows this is usually
and on Linux it’s usually
C:\Users\<span style="text-decoration: underline;"><em>yourusername</em></span>\AppData\Roaming\HexChat\
/home/<span style="text-decoration: underline;"><em>yourusername</em></span>/.config/hexchat/.<br />
We will need to create the certs directory, this is where HexChat looks for client authentication certificates.
cd $HOME/.config/hexchat/ mkdir certs cd certs
cd %APPDATA%\HexChat mkdir certs cd certs
Generate Your Certificates
If you are going to use self-signed SSL certificates then you need to generate your root certificates first.
If you are planning on using certificates provided by a certificate authority, such as StartSSL, then you may skip this step and use the certificate that you have generated instead.
When asked for the common name, this should be your name (or nick name).
Generate Root Certificates
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Generate Client Key & Signing Request
openssl genrsa -des3 -out client.key 4096 openssl req -new -key client.key -out client.csr
Sign Your Client Certificate
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Decrypt your Private Key & Create Combined PEM
openssl rsa -in client.key -out client.priv
cat client.crt ca.crt client.priv > client.pem
type client.crt ca.crt client.priv > client.pem
At this point, if you want to, you can move or delete all of the files we have created except for client.pem.
Now all you need to do is add your network into your Network List & make sure you are connecting to the server with SSL.
Make sure that your username is set as your primary nickname and that your login method is set to “SASL EXTERNAL (cert)”