Signed SSL certificate
If you're not going to be the only person using the ZNC instance, you may want to consider using signed SSL certificates. Signed SSL certificates are generated by third-party companies, such as StartSSL, PositiveSSL, VeriSign, or others, and will not cause "self-signed certificate" errors when used with an IRC client.
znc.pem must contain everything in order from the "most private" to the "most public" entries, except for the root certificate.
E.g. it may be something like this:
cat your-certificate-private.key > znc.pem cat your-certificate.crt >> znc.pem cat intermediate-certificate-of-ca.crt >> znc.pem # If your certificate wasn't signed by CA root certificate directly. # cat ca-root.crt >> znc.pem # Possible, but useless. If client knows this CA, this is redundant. If client doesn't know this CA, it's not trusted anyway.
You should also generate the Diffie–Hellman key exchange parameters, also appended to znc.pem:
openssl dhparam -out dhparam.pem 2048 cat dhparam.pem >> znc.pem
The dhparam file doesn't have to be kept secret, and can be used multiple times; substitute 2048 for your private key's bit size.
Below you may find more specific instructions how to configure certs from few CAs, contributed by various people.
If you want to use your StartSSL web server certificate in ZNC, you need to put your private key and then your certificate into ~/.znc/znc.pem:
cat server.key server.pem > znc.pem
Remember to replace server.key and znc.pem with the correct filenames and relevant paths.
While the StartSSL root certificate is known on most recent machines, the intermediate certificate isn't, so it has to be appended to your personal certificate:
wget https://www.startssl.com/certs/sub.class1.server.ca.pem cat sub.class1.server.ca.pem >> znc.pem
Then add the dhparam file, as generated above:
cat dhparam.pem >> znc.pem
You can test your certificate without connecting to znc with the following command:
openssl s_client -showcerts -connect hostname:port
Make sure to connect using the correct hostname, or the test won't be useful.
This is how I (who?) created a Positive SSL certificate for znc.
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
- Submit server.csr to PositiveSSL
- Once you receive your SSL Bundle zip, uncompress
cat myserver.key > ~/.znc/znc.pem
cat host_domain_com.crt >> ~/.znc/znc.pem
cat PositiveSSLCA2.crt >> ~/.znc/znc.pem
cat AddTrustExternalCARoot.crt >> ~/.znc/znc.pem
That should do it. Drop a note on my Wiki Page if you need any more help.
To use a PositiveSSL, this seemed to be the recipe