Using a *real* x.509 certificate with Irssi and OFTC.

Due to random reasons — read: highest point in the yearly “I’m bored to death” bell distribution curve — my x.509 certificates expire on the last days of the year. Now, I don’t really use them much if at all because PKI certificates have been out of vogue for several years now. But that doesn’t say anything about their usefulness! They can help you be more secure and more conscious of the need of security. In fact, there are places where using a x.509 certificate can simplify your life. Case in file: OFTC.

If you don’t use a x.509 certificate to log in to OFTC, they will make sure your life is miserable, trust me. What do you think of having 10 seconds to login with your password every time you connect. OK, I exaggerate with the time, but you get my point. Right? OFTC’s website is a wiki. Not particularly well-organized, I’m afraid, so you need to go digging for a while to find instructions on how to use a x.509 certificate to login to the network, but after a while you find the darned instructions.

So, I won’t touch that particular theme. Besides I’m sure there are at least 5,230 places out there where you can find that information. What I do want to touch in this post is the matter of x.509 certificates.

What do I call a real certificate? One emitted by a recognized certificate authority. And if I can get it for free, I’m in for as long as the ride lasts. So instead of creating my own self-signed x.509 certificate as the OFTC instructions suggest, I decided to use a real x.509 certificate with a real certificate chain. What to do?

First, there was the matter of choosing a certificate authority that would give me a x.509 certificate for free. Thawte stopped its personal PKI a couple of years ago. So the ones left, to my knowledge, are CAcert and StartSSL. After some thought I chose StartSSL, because they work as a OpenID authentication source as well.

Now, the problem was how to use the certificate. To generate the certificate I used Firefox, not because I wanted to but rather because I had trouble with Chromium doing the right thing. After exporting it I had a PKCS12 file where both public and private keys are encrypted with a password of my choice. But irssi needs a PEM file where both keys are unencrypted in ASCII armor format. So what now? Here is the hack:

openssl pkcs12 -in in.p12 -out out.pem -nodes -clcerts

Give your encryption password when asked. Make sure you don’t give a password to the private key! Use out.pem according to the instructions in OFTC’s wiki, and that’s it. Of course, the usual “don’t be a moron” precautions ensue: Set file permissions so that only you can read the file, don’t do it in a shared or public computer, perhaps use something like ecryptfs to keep your $HOME/.ssh directory encrypted, or do it with your whole home directory or, better yet, encrypt your partitions with dmcrypt! All depends on your level of paranoia and real need of security.