Last active
July 5, 2018 14:01
-
-
Save Zerpet/654316dd41e487777cf95788ea29f222 to your computer and use it in GitHub Desktop.
TLS Setup for RabbitMQ
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
mkdir -pv testca | |
cd testca | |
mkdir -pv certs private | |
chmod 700 private | |
echo 01 > serial | |
touch index.txt | |
openssl req -x509 -config ../openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes | |
cd .. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Change "$(hostname)" by a hostname if you are generating a certificate for a remote machine | |
mkdir -pv server | |
cd server | |
openssl genrsa -out key.pem 2048 | |
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes | |
cd ../testca | |
openssl ca -config ../openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions | |
cd .. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ ca ] | |
default_ca = testca | |
[ testca ] | |
dir = . | |
certificate = $dir/cacert.pem | |
database = $dir/index.txt | |
new_certs_dir = $dir/certs | |
private_key = $dir/private/cakey.pem | |
serial = $dir/serial | |
default_crl_days = 7 | |
default_days = 365 | |
default_md = sha256 | |
policy = testca_policy | |
x509_extensions = certificate_extensions | |
[ testca_policy ] | |
commonName = supplied | |
stateOrProvinceName = optional | |
countryName = optional | |
emailAddress = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
domainComponent = optional | |
[ certificate_extensions ] | |
basicConstraints = CA:false | |
[ req ] | |
default_bits = 2048 | |
default_keyfile = ./private/cakey.pem | |
default_md = sha256 | |
prompt = yes | |
distinguished_name = root_ca_distinguished_name | |
x509_extensions = root_ca_extensions | |
[ root_ca_distinguished_name ] | |
commonName = hostname | |
[ root_ca_extensions ] | |
basicConstraints = CA:true | |
keyUsage = keyCertSign, cRLSign | |
[ client_ca_extensions ] | |
basicConstraints = CA:false | |
keyUsage = digitalSignature,keyEncipherment | |
extendedKeyUsage = 1.3.6.1.5.5.7.3.2 | |
[ server_ca_extensions ] | |
basicConstraints = CA:false | |
keyUsage = digitalSignature,keyEncipherment | |
extendedKeyUsage = 1.3.6.1.5.5.7.3.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
listeners.ssl.default = 5671 | |
ssl_options.cacertfile = /var/lib/rabbitmq/openssl/cacert.pem | |
ssl_options.certfile = /var/lib/rabbitmq/openssl/server/cert.pem | |
ssl_options.keyfile = /var/lib/rabbitmq/openssl/server/key.pem | |
ssl_options.fail_if_no_peer_cert = false | |
ssl_options.versions.1 = tlsv1.2 | |
ssl_options.versions.2 = tlsv1.1 | |
ssl_options.honor_cipher_order = true | |
ssl_options.honor_ecc_order = true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment