On EsperNet, CertFP does not work unless the SPKI fingerprint is added to NickServ.
11:58 <txtsd> Is it not possible to authenticate via CertFP?
11:58 <txtsd> I've added a cert and its 3 fingerprints, however, I'm not identified when I connect.
12:06 <@kbuck_> I don't see a certificate in your /whois; it might not be getting transmitted properly (or it's not shown in whois and I'm mistaken).
12:06 <@kbuck_> another possibility is that you have to add the SPKI fingerprint (instead of the normal one); our servers are configured to generate SPKI hashes due to how our link authentication works
12:07 <@kbuck_> (our server-to-server links are all certificate authenticated instead of password-based)
12:08 <@kbuck_> tbh, probably more likely to be the SPKI thing.
12:08 <@kbuck_> if the SPKI hash doesn't appear in whois for you, you can generate it with:
12:10 <@kbuck_> openssl x509 -pubkey -noout -in <certfile> | openssl pkey -pubin -outform DER | sha256sum | sed -r -e 's/^/SPKI:SHA2-256:/' | sed -e 's/ -//'
Sounds like by "SPKI hash" they mean SHA256, which is already in the output. Try to use the string "SPKI:SHA2-256:" with the SHA256
<hash>
returned by soju.
It doesn't work even when I prepend that string :(
03:58 <@kbuck_> txtsd: my command first extracts only the public key, then hashes it, then prefixes it with that 03:58 <@kbuck_> basically, only a portion of the entire cert is being hashed for the fingerprint, instead of the whole thing
Oh. Sigh.