Clone tls-gen, then in the two_shared_intermediates sub-directory:
make CN=HOSTNAME_1
cp result/* path/to/root_ca_1
make clean
make CN=HOSTNAME_2
cp result/* path/to/root_ca_2
%% {cacertfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/chained_ca_both.pem"},
%% {cacertfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/ca_both.pem"},
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/root_ca_1/ca_certificate.pem"},
{certfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/root_ca_1/server_certificate.pem"},
{keyfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/root_ca_1/server_key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{depth, 8}
]}
]}
].
This is using certs from only one Root CA (root_ca_1 dir). RabbitMQ cacertfile points to Root CA cert only.
openssl s_client -connect messiaen_1:5671 -CAfile root_ca_1/ca_certificate.pem -cert root_ca_1/client_certificate.pem -key root_ca_1/client_key.pem
results in this:
TLS server: In state certify at ssl_handshake.erl:1293 generated SERVER ALERT: Fatal - Unknown CA
openssl s_client -connect messiaen_1:5671 -CAfile root_ca_1/chained_ca_certificate.pem -cert root_ca_1/client_certificate.pem -key root_ca_1/client_key.pem
is successful.
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/root_ca_1/chained_ca_certificate.pem"},
{certfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/root_ca_1/server_certificate.pem"},
{keyfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/root_ca_1/server_key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{depth, 8}
]}
]}
].
Even though the server is aware of the CA certificate chain via chained_ca_certificate.pem, the following command fails:
openssl s_client -connect messiaen_1:5671 -CAfile root_ca_1/ca_certificate.pem -cert root_ca_1/client_certificate.pem -key root_ca_1/client_key.pem
thus it appears that for client certificate validation, the client application must present the entire CA cert chain, including intermediates.
Concatenate both Root CA certs:
cat root_ca_1/ca_certificate.pem root_ca_2/ca_certificate.pem > ca_both.pem
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/ca_both.pem"},
{certfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/root_ca_1/server_certificate.pem"},
{keyfile,"/Users/lbakken/issues/rabbitmq-users/different-roots-1Pyowi3exro/root_ca_1/server_key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{depth, 8}
]}
]}
].
- Connecting using Root CA 2 certs
openssl s_client -connect messiaen_1:5671 -CAfile root_ca_2/ca_certificate.pem -cert root_ca_2/client_certificate.pem -key root_ca_2/client_key.pem
produces the following server error:
TLS server: In state certify at ssl_handshake.erl:1293 generated SERVER ALERT: Fatal - Unknown CA
and client error:
Verify return code: 21 (unable to verify the first certificate)
- Connecting using concatenated Root CA certs
openssl s_client -connect messiaen_1:5671 -CAfile ca_both.pem -cert root_ca_2/client_certificate.pem -key root_ca_2/client_key.pem
results in the same errors as above.