now | blog | wiki | recipes | bookmarks | contact | about | donate
* * * back home * * *
authenticating with capsules on gemini
Many folks would think that the Gemini protocol is for static capsules only, and largely, they'd be right, but there are a few capsules on the protocol where you can do interactive stuff, such as chat with other people, make posts, and more.
Since this isn't the normal Web, we don't have an easy way to create accounts (usernames/passwords). Instead, we rely on certificates that we generate on our own local machines and manage ourselves.
On Gemini, to handle authentication, we use client certificates and then tell our Gemini browser how to handle them.
Generating and using your client certificate is quite simple. In this example, I am going to be showing you how to do it in the amfora Gemini browser, since this is the main one I use and have experience with.
To get started, simply run this command (remember to replace username with whatever you want your name to be):
openssl req -new -subj "/CN=username" -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -days 1825 -nodes -out cert.pem -keyout key.pem
You should now have two new files: cert.pem and key.pem. Now, we need to put these files where Amfora can see them:
mv cert.pem key.pem ~/.local/share/amfora
We now have our certs! We can configure Amfora to use them on different domains by telling Amfora to apply them to these domains in its configuration file (which can be found at ~/.config/amfora/config.toml), and telling it where to look for the cert/key files. Here's an example, using the Station social capsule as the domain we're authenticating with:
[auth.certs]
# Client certificates
# Set URL equal to path to client cert file
"station.martinrue.com" = "~/.local/share/amfora/cert.pem"
[auth.keys]
# Client certificate keys
# Same as [auth.certs] but the path is to the client key file.
"station.martinrue.com" = "~/.local/share/amfora/key.pem"
You can configure as many domains as needed in this way using the same cert/key pair!
After you've generated your certificate and key pair, the files are right there on your machine. You can move them from machine to machine if you want, put them on your own server, however you want to manage them, and use them to authenticate with your favorite Gemini capsules as you would on the machine you originally generated them on. Just make sure you keep them safe and don't put them on the public internet so other people can use them and masquerade as you!
I recommend keeping them on an external hard drive or flash drive that only you control, and move them between machines you plan on using for interacting with your favorite capsules. Put them on your machine, copy your Amfora config, make sure they're all in the right locations as we discussed above, and you're good to go!