Family configuration

You might want to specify a family your router belongs to. There are two ways to do this: create a new family or join to an existing one.

New family

To create a new family, you must first create a family self-signed certificate and key.
The only key type supported is prime256v1. Use the following list of commands to do this through openssl:

openssl ecparam -name prime256v1 -genkey -out <your family name>.key  
openssl req -new -key <your family name>.key -out <your family name>.csr  
touch v3.ext
openssl x509 -req -days 3650 -in <your family name>.csr -signkey <your family name>.key -out <your family name>.crt -extfile v3.ext

Specify <your family name> for the CN (Common Name) when requested.

Once you are done generating it place <your-family-name>.key and <your-family-name>.crt in the /family folder (for example ~/.i2pd/family). You should provide these two files to other members joining your family. If you want to register your family and let the I2P network recognize it, create a pull request for your .crt file into contrib/certificate/family. Certificates added into the public repository this way will appear in i2pd and I2P next releases packages. Don't place .key file, it must be shared between you family members only.

How to join existing family

Once you and that family agree to do it, they must give you .key and .crt file and you must place in /certificates/family/ folder.

Publish your family

Run i2pd with the parameters 'family=<your-family-name>', and make sure you have <your-family-name>.key and <your-family-name>.crt in your 'family' folder. If everything is set properly, you will contain two new fields: 'family' and 'family.sig'. If not, your router will complain on startup with log messages starting with "Family:" prefix and severity 'warn' or 'error'.

Export to Java-I2P from i2pd

  1. Convert private key file to PKCS#8

The private key is in an openssl "EC Parameter File" format:


It must be converted to PKCS#8 format first.

openssl pkcs8 -topk8 -nocrypt -in your-family-name.key -out your-family-name.pkcs8

Now you have a pkcs8 private key in the your-family-name.pkcs8 file:

  1. Combine PKCS#8 and certificate files

Now combine the pkcs8 and certificate files into a single file:

cat your-family-name.pkcs8 your-family-name.crt > your-family-name.secret
  1. Import combined file

Now go to Java i2p console page and Join Existing Router Family selecting the file your-family-name.secret to join that family.


Export to i2pd from Java-I2P

Go to Java i2p console page and export family key. You'll have a file family-your-family-name-secret.crt. It contains both the private key and the public key certificate.

Copy it to your-family-name.key and your-family-name.crt.

Edit your-family-name.key in a text editor to remove the certificate part so it contains only the private key part.

Edit your-family-name.crt in a text editor to remove the private key part so it contains only the certificate part.

Move the your-family-name.key and your-family-name.crt files to the i2pd /certificates/family/ folder, as instructed here.

This assumes that i2pd/openssl can handle the PKCS#8 format for the private key.


TODO: List common errors