To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

Signed SSL certificate: Difference between revisions

From ZNC
Jump to navigation Jump to search
DH params
>Kerio
No edit summary
Line 3: Line 3:
== General advice ==
== General advice ==


<code>znc.pem</code> '''must''' contain everything in order from the "most private" to the "most public" key.
<code>znc.pem</code> '''must''' contain everything in order from the "most private" to the "most public" entries, except for the root certificate.


E.g. it may be something like this, if CA provides only 1 root cert in the chain:
E.g. it may be something like this, if CA provides only 1 root cert in the chain:
Line 9: Line 9:
  cat your-certificate-private.key > znc.pem
  cat your-certificate-private.key > znc.pem
  cat your-certificate.crt >> znc.pem
  cat your-certificate.crt >> znc.pem
cat ca-root.crt >> znc.pem


If you want to enable Diffie–Hellman key exchange, also append DH params to znc.pem:
You should also generate the Diffie–Hellman key exchange parameters, also appended to znc.pem:


  cat dh.pem >> znc.pem
openssl dhparam -out dhparam.pem 2048
  cat dhparam.pem >> znc.pem
 
The dhparam file doesn't have to be kept secret, and can be used multiple times; substitute 2048 for your private key's bit size.


Below you may find more specific instructions how to configure certs from few CAs, contributed by various people.
Below you may find more specific instructions how to configure certs from few CAs, contributed by various people.
Line 21: Line 23:
If you want to use your StartSSL web server certificate in ZNC, you need to put your private key and then your certificate into ~/.znc/znc.pem:
If you want to use your StartSSL web server certificate in ZNC, you need to put your private key and then your certificate into ~/.znc/znc.pem:


<code>cat server.key znc.pem > znc.pem</code>
cat server.key server.pem > znc.pem


Remember to replace server.key and znc.pem with the correct filenames and relevant paths.
Remember to replace server.key and znc.pem with the correct filenames and relevant paths.


The certificate now gets validated, but the validation fails, since the root certificate is probably not known on your machine (while most browser come built-in with the root certificate). So you either make the certificate known to your machine (and all your ZNC users) or your put the root cert into your znc.pem file like the following:
While the StartSSL root certificate is known on most recent machines, the intermediate certificate isn't, so it has to be appended to your personal certificate:
 
wget https://www.startssl.com/certs/sub.class1.server.ca.pem
cat sub.class1.server.ca.pem >> znc.pem
 
Then add the dhparam file, as generated above:
 
cat dhparam.pem >> znc.pem


# <code>cd ~/.znc/</code>
You can test your certificate without connecting to znc with the following command:
# <code>wget https://www.startssl.com/certs/sub.class1.server.ca.pem -O startssl.com.root.pem</code>
# <code>cat startssl.com.root.pem >> znc.pem</code>


It seems the order in your znc.pem must be "key", "own cert" and "root cert". If you get connection errors, go back and make sure you did it right. You can test your certificate without connecting to znc with the following command:
openssl s_client -showcerts -connect hostname:port


<code>openssl s_client -showcerts -connect domain.tld:6667</code>
Make sure to connect using the correct hostname, or the test won't be useful.
Change the domain and port to your domain and znc's listening port.


== PositiveSSL ==
== PositiveSSL ==

Revision as of 22:50, 7 January 2015

If you're not going to be the only person using the ZNC instance, you may want to consider using signed SSL certificates. Signed SSL certificates are generated by third-party companies, such as StartSSL, PositiveSSL, VeriSign, or others, and will not cause "self-signed certificate" errors when used with an IRC client.

General advice

znc.pem must contain everything in order from the "most private" to the "most public" entries, except for the root certificate.

E.g. it may be something like this, if CA provides only 1 root cert in the chain:

cat your-certificate-private.key > znc.pem
cat your-certificate.crt >> znc.pem

You should also generate the Diffie–Hellman key exchange parameters, also appended to znc.pem:

openssl dhparam -out dhparam.pem 2048
cat dhparam.pem >> znc.pem

The dhparam file doesn't have to be kept secret, and can be used multiple times; substitute 2048 for your private key's bit size.

Below you may find more specific instructions how to configure certs from few CAs, contributed by various people.

StartSSL

If you want to use your StartSSL web server certificate in ZNC, you need to put your private key and then your certificate into ~/.znc/znc.pem:

cat server.key server.pem > znc.pem

Remember to replace server.key and znc.pem with the correct filenames and relevant paths.

While the StartSSL root certificate is known on most recent machines, the intermediate certificate isn't, so it has to be appended to your personal certificate:

wget https://www.startssl.com/certs/sub.class1.server.ca.pem
cat sub.class1.server.ca.pem >> znc.pem

Then add the dhparam file, as generated above:

cat dhparam.pem >> znc.pem

You can test your certificate without connecting to znc with the following command:

openssl s_client -showcerts -connect hostname:port

Make sure to connect using the correct hostname, or the test won't be useful.

PositiveSSL

This is how I created a Positive SSL certificate for znc.

  1. openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
  2. Submit server.csr to PositiveSSL
  3. Once you receive your SSL Bundle zip, uncompress
  4. cat myserver.key > ~/.znc/znc.pem
  5. cat host_domain_com.crt >> ~/.znc/znc.pem
  6. cat PositiveSSLCA2.crt >> ~/.znc/znc.pem
  7. cat AddTrustExternalCARoot.crt >> ~/.znc/znc.pem

That should do it. Drop a note on my Wiki Page if you need any more help.

To use a PositiveSSL, this seemed to be the recipe