Mumble authentication

authentication and encryption

This page has been copied from the MCH2022 source.

Conversations are encrypted based on PKI certificates, Mumble uses a self-signed certificate client-side.

It seems CAcert does not provide certificates as CAcert.org is not secure. Will look into this and modify this page accordingly

If you'd like to configure your own certificate client-side, for instance, a CAcert one, you'll need to follow these steps:

• Generate a private key and Certificate Signing Request (don't worry about the proper C/ST/L/O/OU questions, information in the CSR will be ignored by CAcert).

openssl req -utf8 -nodes -sha256 -newkey rsa:4096 -keyout username-mumble.key -out username-mumble.csr

• Issue a "Client Certificate" based on the CSR via the CAcert website (the Common Name will be one of your email addresses you've verified with CAcert)

• Include your name.
• Un-check Enable certificate login with this certificate.

• Download the certificate and the CAcert Root certificates.
• Combine the private key, certificate, Intermediate CA certificate ("Class 3 PKI key") and the CA Root certificate ("Class 1 PKI key") into a single PKCS12 file.

openssl pkcs12 -export -out username-mumble.pkcs12 -inkey username-mumble.key -in username-mumble.pem -certfile CAcert_Class_3_Root.pem -certfile CA_Cert_Signing_Authority.pem

• Import the PKCS12 file into the Mumble client.

Make sure you also trust the CAcert Root certificates locally, or else the Mumble client will fail to connect, as the client also checks the issuers of the imported certificate.