To create new wiki account, please join us on #znc at freenode and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.


From ZNC
Jump to navigation Jump to search

This module lets users use their own SSL certificate to connect to a server, such as CertFP.

You will have to generate an SSL certificate to use with this module. Either place it at `~/.znc/users/<user>/networks/<network>/moddata/cert/user.pem`, or use the web interface to upload the certificate.

You can usually test if Cert is supported by services simply by sending /msg NickServ cert. If you get an error about “Insufficient parameters for CERT,” CertFP is supported. If you get an error about unknown command, or no response at all, it may not supported. While this is a fairly reliable test, it may vary by IRC network, for example Rizon supports Cert but uses the command /msg NickServ access instead.


This user/network module takes no arguments.

Read loading modules to learn more about loading modules.


| Command | Arguments | Description                    |
| Help    |           | Generate this output           |
| delete  |           | Delete the current certificate |
| info    |           |                                |

Generating a certificate

You can use the following openssl commands to generate a certificate

This command would produce a 4096-bit certificate which would expire in 3650 days. You can modify the arguments to openssl to change this. user.pem is the certificate you will need to add to ZNC.

openssl req -nodes -newkey rsa:4096 -keyout user.pem -x509 -days 3650 -out user.pem -subj "/CN=YourNickname"

If you are following instructions from certauth, you can stop here. Your certificate is user.pem, and you must tell your client to use it.

Utilizing the certificate

This part of the article is written generically, and the instructions might differ from network to network dependent on a myriad of variables. If something doesn't work, consult your network's website and support venues.

To get a SHA-1 fingerprint, enter the following command:

openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'

note: Not all networks use sha-1 fingerprints, consult the network you're connecting to for this information.

Add the fingerprint to your NickServ account:

/msg NickServ cert add fingerprint

note: some services support adding fingerprint if you're connected with a certificate, and /msg NickServ cert add alone will work. It is also often possible to WHOIS yourself for the fingerprint.

Now move the cert your folder:

mv user.pem ~/.znc/users/<user>/networks/<network>/moddata/cert/