Zerpet/create-ca.sh

## create-ca.sh
#!/bin/bash

mkdir -pv testca
cd testca
mkdir -pv certs private
chmod 700 private
echo 01 > serial
touch index.txt

openssl req -x509 -config ../openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes

cd ..

## create-server-cert.sh
#!/bin/bash

# Change "$(hostname)" by a hostname if you are generating a certificate for a remote machine

mkdir -pv server
cd server
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
cd ../testca
openssl ca -config ../openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions

cd ..

## openssl.cnf
[ ca ]
default_ca = testca

[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days = 7
default_days = 365
default_md = sha256

policy = testca_policy
x509_extensions = certificate_extensions

[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
domainComponent = optional

[ certificate_extensions ]
basicConstraints = CA:false

[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions

[ root_ca_distinguished_name ]
commonName = hostname

[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign

[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

## rabbitmq.conf
listeners.ssl.default = 5671

ssl_options.cacertfile = /var/lib/rabbitmq/openssl/cacert.pem
ssl_options.certfile = /var/lib/rabbitmq/openssl/server/cert.pem
ssl_options.keyfile = /var/lib/rabbitmq/openssl/server/key.pem
ssl_options.fail_if_no_peer_cert = false
ssl_options.versions.1 = tlsv1.2
ssl_options.versions.2 = tlsv1.1

ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
	#!/bin/bash

	mkdir -pv testca
	cd testca
	mkdir -pv certs private
	chmod 700 private
	echo 01 > serial
	touch index.txt

	openssl req -x509 -config ../openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes

	cd ..
	#!/bin/bash

	# Change "$(hostname)" by a hostname if you are generating a certificate for a remote machine

	mkdir -pv server
	cd server
	openssl genrsa -out key.pem 2048
	openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
	cd ../testca
	openssl ca -config ../openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions

	cd ..
	[ ca ]
	default_ca = testca

	[ testca ]
	dir = .
	certificate = $dir/cacert.pem
	database = $dir/index.txt
	new_certs_dir = $dir/certs
	private_key = $dir/private/cakey.pem
	serial = $dir/serial

	default_crl_days = 7
	default_days = 365
	default_md = sha256

	policy = testca_policy
	x509_extensions = certificate_extensions

	[ testca_policy ]
	commonName = supplied
	stateOrProvinceName = optional
	countryName = optional
	emailAddress = optional
	organizationName = optional
	organizationalUnitName = optional
	domainComponent = optional

	[ certificate_extensions ]
	basicConstraints = CA:false

	[ req ]
	default_bits = 2048
	default_keyfile = ./private/cakey.pem
	default_md = sha256
	prompt = yes
	distinguished_name = root_ca_distinguished_name
	x509_extensions = root_ca_extensions

	[ root_ca_distinguished_name ]
	commonName = hostname

	[ root_ca_extensions ]
	basicConstraints = CA:true
	keyUsage = keyCertSign, cRLSign

	[ client_ca_extensions ]
	basicConstraints = CA:false
	keyUsage = digitalSignature,keyEncipherment
	extendedKeyUsage = 1.3.6.1.5.5.7.3.2

	[ server_ca_extensions ]
	basicConstraints = CA:false
	keyUsage = digitalSignature,keyEncipherment
	extendedKeyUsage = 1.3.6.1.5.5.7.3.1
	listeners.ssl.default = 5671

	ssl_options.cacertfile = /var/lib/rabbitmq/openssl/cacert.pem
	ssl_options.certfile = /var/lib/rabbitmq/openssl/server/cert.pem
	ssl_options.keyfile = /var/lib/rabbitmq/openssl/server/key.pem
	ssl_options.fail_if_no_peer_cert = false
	ssl_options.versions.1 = tlsv1.2
	ssl_options.versions.2 = tlsv1.1

	ssl_options.honor_cipher_order = true
	ssl_options.honor_ecc_order = true