Skip to content

howto client ssl certificates

Greg Holmes edited this page Sep 28, 2014 · 1 revision

Introduction

As of DMDirc 0.6.3 (or the 2008-09-04 nightly build), DMDirc supports sending client certificates when connecting to servers using an SSL connection. Client certificates allow you to identify yourself to the server in much the same way as the server identifies itself to you using its certificate. Some networks (such as OFTC) use the client certificate to allow you to automatically be identified by the services, meaning there's no need to log in or send a password (see http://www.oftc.net/oftc/NickServ/CertFP for more information on OFTC's implementation).

Creating a certificate

If you do not already have a client certificate to use, you will need to create one. The usual way to do this is to use openssl from the command line. First, we create our certificate and private key:

openssl req -nodes -newkey rsa:2048 -x509 -days 365 -keyout irc.key -out irc.cer

You will be asked for some details for the certificate, such as your name, location and organisation; these are mostly optional and can be skipped if you like.

This uses a 2048 bit RSA key, and is valid for one year (365 days). The private key is stored in a file called irc.key, and the public certificate in irc.cer.

Converting to PKCS12

DMDirc uses PKCS12 files for client certificates, so we need to convert the files we just generated:

openssl pkcs12 -export -out irc.p12 -inkey irc.key -in irc.cer

You will be asked to enter a passphrase to use. If you don't want to encrypt the private key, you can pass the -nodes option as we did above. You should now have a file called irc.p12; this is the only file that DMDirc needs, so you can safely delete the irc.key and irc.cer files if you like (note that the irc.key file contains an unencrypted copy of your private key, so it would make sense to delete it if you elected to encrypt your .p12 file).

Configuring DMDirc

DMDirc uses two settings to control client certificates. First, you need to tell it where the certificate can be found. To do this, issue the following command from any window:

/set ssl clientcert.file /path/to/your/irc.p12

Making sure to use the correct path to your irc.p12 file. If your file is encrypted, you will also need to tell DMDirc the passphrase to use:

/set ssl clientcert.pass passphrase_here

Note that at present, the passphrase is stored in plain text in the DMDirc configuration file.

Once you have issued these commands, any new SSL connections will send your client certificate when performing the hand shake. If you only want to send your certificate to certain servers, or you want to use different certificates for different servers, you can use the --server flag with the /set command instead:

/set --server ssl clientcert.file /path/to/your/irc.p12
/set --server ssl clientcert.pass passphrase_here

These commands have to be executed from a server window or a window belonging to a server (such as a channel or query window), and they will only affect the server that they're issued to.

You can’t perform that action at this time.