Using client certificates to login

Passwordless authentication is possible in XMPP through the use of mecanisms such as SASL External. This mechanism has to be supported by both the client and the server. This page does not cover the server setup, but prosody has a mod_client_certs module which can perform this kind of authentication, and also helps you create a self-signed certificate.

Poezio configuration

If you created a certificate using the above link, you should have at least two files, a .crt (public key in PEM format) and a .key (private key in PEM format).

You only have to store the files wherever you want and set keyfile with the path to the private key (.key), and certfile with the path to the public key (.crt).

Authorizing your keys

Now your poezio is setup to try to use client certificates at each connection. However, you still need to inform your XMPP server that you want to allow those keys to access your account.

This is done through /cert_add. Once you have added your certificate, you can try to connect without a password by commenting the option.


The /cert_add command and the others are only available if your server supports them.


Now that this is setup, you might want to use /certs to list the keys currently known by your XMPP server, /cert_revoke or /cert_disable to remove them, and /cert_fetch to retrieve a public key.