Basically, nds-constrain't is one of the greatest discoveries of all time.
That discovery was that Nintendo's NTR SSL library didn't care if certificates were signed by a non-CA certificate as long as they were still linked to the root CA. (What a huge fail!)
This allows the NDS to connect to unofficial services without patching the ROM, which is great.
Shutterbug2000 is responsible for this discovery. If you haven't seen his work, please do.
The rest of this page is a vague guide on setting it up. :-)
If you don't need to make your own certificate, then feel free to download this sample certificate which is valid for all domains, then skip to step 4. However, I would recommend making your own for security reasons.
Step 1) Getting the Wii client certificate
As explained in the page, the Wii client certificate is signed by Nintendo, and can therefore be used to sign other certificates.
You could get it from your Wii itself, or you can download "Wii NWC Prod 1" at Larsenv's page.
(Arian Kordi probably dumped this since his name is in the footer. Thanks!)
Step 2) Converting it to a useable format
As you probably noticed, the file is PKCS12 which is not what you'll want for signing certificates.
openssl pkcs12 -in WII_NWC_1_CERT.p12 -passin pass:alpine -passout pass:alpine -out keys.txt
This will export the public and private keys. (The private key will have the password alpine again.)
Since I don't know how to export them separately, you'll have to take them from the keys.txt output.
Save them as NWC.crt and NWC.key or something.
Step 3) Signing your certificate
They have the commands for this on the official page, but I'll copy them here too.
Make sure it's in the right format, since the DS can only handle SHA1 and MD5 ciphers.
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA NWC.crt -CAkey NWC.key -CAcreateserial -out server.crt -days 3650 -sha1
cat server.crt NWC.crt > server-chain.crt
Afterwards, you should now have your certificates.
Step 4) Using your certificates
If you can't figure out how to install SSL certificates, you wouldn't have made it this far.
Many people get stuck here since the device will keep refusing their connection even with a valid cert.
This is most likely due to your webserver not wanting to work with the DSi's insecure and outdated SSL.
You will want to make sure your server supports SSLv3 and the ECDHE-RSA-AES128-SHA (or MD5) cipher set.
If it doesn't, reverse-proxy it with NGINX to enable NDS connections to work.
Here is a configuration for NGINX that should be NDS-compatible.
ssl_protocols SSLv3; ssl_ciphers ECDHE-RSA-AES128-SHA;This isn't SSL related, but if you're using NGINX I'd also recommend setting the following options for WFC.
underscores_in_headers on; proxy_pass_request_headers on;Also note this may not work if you have a bunch of other things configured on NGINX or on certain versions.
If you still can't get this working, feel free to contact me and ask for help.
Step 5) Whatever you want
I don't know, go write a server or something, there are many possibilities.
You can mess with protocols, try implementing some WFC stuff, do whatever you want!
Enjoy not requiring ROM patches! :-)