💾 Archived View for makeworld.space › amfora-wiki › Client-Certificates.gmi captured on 2023-09-08 at 16:02:33. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-07-16)

-=-=-=-=-=-=-

Client Certificates

Pages

Home

Subscriptions

Caching

Bookmarks

Configuration

Client Certificates

Handling Other URL Schemes

Opening or streaming non text files

Proxying

Source Code Highlighting

Make sure that you've read the configuration wiki page first.

configuration wiki page

Client certificates are Gemini's way of handling authentication. It's like an "identity" or ID card, and you can have multiple. Usually you'll have one per domain, but this is not required.

Amfora currently has basic support for client certificates, with plans to eventually let users generate certificates within Amfora itself. At present, the client certificate needs to be created using OpenSSL and this can be done using the following command:

openssl req -new -subj "/CN=username" -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -days 1825 -nodes -out cert.pem -keyout key.pem

Replace the word `username` with a username for the service the cert is being used for.

The `-days 1825` says to make a certificate that's valid for 1825 days, aka 5 years. You can make a cert that lasts for as long as you want, but it's good practice to make one that only lasts as long as you might use it for.

The certificate and key file created can be renamed and moved to a location of your choice. You can only have one client certificate per domain, for now. In order to specify your client certificate for a particular domain, you'll need to make additions to the `[auth]` section of your config file. The following is an example where a certificate and a key file are specified for `astrobotany.mozz.us`. The certificate and key file are located at `~/.local/share/amfora/` in this example, but you can put them anywhere on your computer that Amfora can access.

[auth]
# Authentication settings

[auth.certs]
# Client certificates
# Set domain name equal to path to client cert
# "example.com" = "mycert.crt"
"astrobotany.mozz.us" = "~/.local/share/amfora/astrobotany-cert.pem"

[auth.keys]
# Client certificate keys
# Set domain name equal to path to key for the client cert above
# "example.com" = "mycert.key"
"astrobotany.mozz.us" = "~/.local/share/amfora/astrobotany-key.pem"

Windows

On Windows, using OpenSSL is not so easy. One way is to install Chocolatey, and then run `choco install openssl`. You should be able to run the command above after that. Let me know if you have any issues, and I'll update the wiki.

Chocolatey

If you'd like to support Amfora development, you can sponsor me through Ko-Fi or Github Sponsors. Feel free to submit a PR as well! Thanks.

Ko-Fi

Github Sponsors