Mumble authentication

From MCH2022 wiki
Jump to navigation Jump to search

authentication & encryption

Conversations are encrypted based on PKI certificates, Mumble uses a self-signed certificate client-side. If you'd like to configure your own certificate client-side, for instance, a CAcert one, you'll need to follow these steps:

  • Generate a private key and Certificate Signing Request (don't worry about the proper C/ST/L/O/OU questions, information in the CSR will be ignored by CAcert)
openssl req -utf8 -nodes -sha256 -newkey rsa:4096 -keyout username-mumble.key -out username-mumble.csr
  • Issue a "Client Certificate" based on the CSR via the CAcert website (the Common Name will be one of your email addresses you've verified with CAcert)
    • Include your name
    • Un-check Enable certificate login with this certificate
  • Download the certificate and the CAcert Root certificates
  • Combine the private key, certificate, Intermediate CA certificate ("Class 3 PKI key") and the CA Root certificate ("Class 1 PKI key") into a single PKCS12 file
openssl pkcs12 -export -out username-mumble.pkcs12 -inkey username-mumble.key -in username-mumble.pem -certfile CAcert_Class_3_Root.pem -certfile CA_Cert_Signing_Authority.pem
  • Import the PKCS12 file into the Mumble client

Make sure you also trust the CAcert Root certificates locally, or else the Mumble client will fail to connect, as the client also checks the issuers of the imported certificate.