-
-
Notifications
You must be signed in to change notification settings - Fork 67
Client Certificates
Make sure that you've read the configuration wiki page first.
Client certificates are Gemini's way of handling authentication. It's like an "identity" or ID card, and you can have multiple. Usually you'll have one per domain, but this is not required.
Amfora currently has basic support for client certificates, with plans to eventually let users generate certificates within Amfora itself. At present, the client certificate needs to be created using OpenSSL and this can be done using the following command:
openssl req -new -subj "/CN=username" -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -days 1825 -nodes -out cert.pem -keyout key.pem
Replace the word username
with a username for the service the cert is being used for.
The -days 1825
says to make a certificate that's valid for 1825 days, aka 5 years. You can make a cert that lasts for as long as you want, but it's good practice to make one that only lasts as long as you might use it for.
The certificate and key file created can be renamed and moved to a location of your choice. In order to specify your client certificate for a particular domain (and optionally a path on that domain), you'll need to make additions to the [auth]
section of your config file. The following is an example where a certificate and a key file are specified for astrobotany.mozz.us
. The certificate and key file are located at ~/.local/share/amfora/
in this example, but you can put them anywhere on your computer that Amfora can access.
[auth]
# Authentication settings
[auth.certs]
# Client certificates
# Set domain name equal to path to client cert
# "example.com" = "mycert.crt"
"astrobotany.mozz.us" = "~/.local/share/amfora/astrobotany-cert.pem"
[auth.keys]
# Client certificate keys
# Set domain name equal to path to key for the client cert above
# "example.com" = "mycert.key"
"astrobotany.mozz.us" = "~/.local/share/amfora/astrobotany-key.pem"
On Windows, using OpenSSL is not so easy. One way is to install Chocolatey, and then run choco install openssl
. You should be able to run the command above after that. Let me know if you have any issues, and I'll update the wiki.
If you'd like to support Amfora development, you can sponsor me through Ko-Fi or Github Sponsors. Feel free to submit a PR as well! Thanks.