![[freenode]](/logo2.png "freenode"){kind=logo}
![[Internet services by Oregon State University's Open Source Lab]](/images/freenode_osuosl.png "Internet services by Oregon State University's Open Source Lab")
Identifying with CERTFP
CertFP allows clients connected via SSL with a client SSL certificate to authenticate to services using the SHA1 fingerprint of their client SSL certificate. One must have registered with services. If you do not already have an SSL certificate, you will need to create one.
Adding a Fingerprint to NickServ
Identify to your account, if you haven't already: /msg NickServ identify account password.
If you haven't found your certificate fingerprint yet, use openssl x509 -sha1 -noout -fingerprint -in mynick.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/' to determine it. Replace mynick.pem with the actual filename of your certificate.
If you have connected using your SSL certificate, you will also see the fingerprint in your own WHOIS. It is sent with a 276 numeric that looks like:
276 yournick yournick :has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195Use /msg NickServ cert add fingerprint to add your fingerprint. Replace fingerprint with the actual fingerprint.
The next time you connect using your client SSL certificate, you will be automatically identified.
Troubleshooting CertFP Identification
Are you connected via SSL? You should be connecting to an SSL port. You should have user mode +Z, and in your own whois you will see 671 yournick yournick :is using a secure connection.
Does your client certificate fingerprint show in whois? If you do not see a line in your own whois that looks like 276 yournick yournick :has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195 then it may be a client misconfiguration or your certificate might be expired or invalid.
Check your client configuration below.
To check your SSL certificate validity, try openssl verify mycert.pem If the output is either: mycert.pem: OK or error 18 at 0 depth lookup:self signed certificate OK and the exit status of the command is zero, then the certificate should be okay.
Is your computer clock on-time, or at least close? If your clock is way off, that may cause problems. Consider running NTP to keep your computer's clock synchronized.
Configuring Client SSL Certificates
Instructions for configuring a client SSL certificate for some popular clients are below.
If you know of any additions or corrections, or would like to contribute improvements, contact us at the email below.
Copyright © 2002 – 2012
by freenode
Comments to email address: support at freenode dot net