Certificates Conversion Commands

The Convert cmdlets may be necessary when renewing a certificate, as typical installation commands handle initial certificate conversion and placement.

OpenSSL must be installed for the conversion using the Convert-CngOrEccToPem and Convert-CaCertChainToPem commands. Also, the path must be set in the System Environment Variables (for example, C:\Program Files\OpenSSL-Win64\bin).

Convert a CA Certificate to a PEM File

RabbitMQ only supports the PEM file format for certificate verification. Typically, a collection of CA certificates is provided in a single file called a CA bundle. There are two types of certificates: Root and Intermediate.

After generation, the newly created PEM file will appear in HomeDirectory%\rabbitmq.

For more information on certificates and TLS Support for RabbitMQ, see TLS Support.

Example Localhostca.cer

The Examples folder contains the following test file: localhostca.cer. This certificate file CER is strictly for testing TLS on a single machine. You have to import it into the machine Trusted Root Certification Authorities since it is not an actual CA certificate and is not trusted. Any connections made to RabbitMQ when this certificate is used will otherwise fail.

Copy

$path = "$env:programfiles\Delinea Software Ltd\RabbitMq Helper\net8.0-windows\Examples";

#Use a real CA cert in production unless there are good reasons not to
Convert-CaCertToPem `
  -CaCertPath "$path\localhostca.cer" `
  -Verbose;

Convert a CA Certificate Chain into a PEM File

RabbitMQ only supports the PEM file format for certificate verification. The new PEM file created below will be placed in the %HomeDirectory%\rabbitmq folder. Chains of CA certificates are usually distributed together in a single file, called a CA bundle. One certificate is considered a Root certificate, and the other is an Intermediate certificate.

The created PEM file appears in %HomeDirectory%\rabbitmq.

Examples rootca.cer and intermediateca.cer

In the Examples folder, you will find the rootca.cer and the intermediateca.cer files. These certificates are aimed to test TLS on a single machine. It is important to note that they are not actual CA certificates and therefore, cannot be trusted. To use them, import them into the Trusted Root Certification Authorities folder. Any connections made to RabbitMQ when these certificates are used before this addition, will fail.

Copy

$path = "$env:programfiles\Delinea Software Ltd\RabbitMq Helper\Examples";

# Use real CA certs in production unless there are good reasons not to Convert-CaCertChainToPem 
    -RootCertPath "$path\rootca.cer" 
    -IntermediateCertPath "$path\intermediateca.cer" `
    -Verbose;

Click here for more information on certificates and TLS Support for RabbitMQ.

Convert a Host PFX to a PEM File

RabbitMQ only supports the PEM File format for certificate verification. After generation, the created PEM file appears in %HomeDirectory%\rabbitmq.

Example Localhost.pfx

The Examples folder contains the following test file: localhost.pfx. This PFX is strictly for testing TLS on a single machine. You must import it into the Personal/Certificates certificate store because it is not a valid certificate issued by a CA and is not trusted.

Copy

$path = "$env:programfiles \Program Files\Delinea Software Ltd\RabbitMq Helper\net8.0-windows\Examples";
$password = ConvertTo-SecureString "<PlainTextPassword>" -AsPlainText -Force 
$pfxCred = New-Object System.Management.Automation.PSCredential ("Ignored", $password) 

Convert-PfxToPem
-PfxPath "$path\localhost.pfx" 
-PfxCredential $pfxCred 
-Verbose;

For more information on certificates, see RabbitMQ TLS Support.

How to Use CNG or ECC Certificates with the Helper

To use CNG or ECC certificates:

Run the Convert-CngOrEccToPem command to convert your CNG or ECC PFX certificate to cert.key and cert.pem files.
Follow the Convert a CA Certificate to a PEM File instructions to generate your ca.pem file.
Follow the instructions to install RabbitMQ with TLS enabled, using the localhost certs.
Replace the example cert.key, cert.pem, and ca.pem in %HomeDirectory%\rabbitmq with your files.
Restart the RabbitMQ service using the Stop-RabbitMq and Start-RabbitMq helper commands.

Convert a CNG or ECC Certificate to PEM Files

RabbitMQ only supports the PEM File format for certificate verification. The new PEM file created below will be placed in the %HomeDirectory%\rabbitmq folder.

.pfx to .pem Conversion Example

The Examples folder contains the following test file: localhost.pfx. This PFX is strictly for testing TLS on a single machine. You have to import it in the Personal/Certificates certificate store for it to be useable, as it is not a valid certificate issued by a CA and is not trusted. Any connections made to RabbitMQ when this certificate is used before being added to the store, will otherwise fail.

RabbitMQ supports CNG and/or ECC certificates. OpenSSL is needed to convert these types of certificates from PFX. OpenSSL can also be used directly to perform the conversion.

Manual Conversion from .pfx to .pem Using OpenSSL

For manual conversions, use the following commands:

Copy

openssl pkcs12 -in localhost.pfx -nocerts -out cert.key -nodes
                
openssl pkcs12 -in localhost.pfx -clcerts -nokeys -out cert.pem

.pfx to .pem Conversion Using RabbitMQ Helper

You can use the Convert-CngOrEccToPem command for this conversion. The command generates the two files below in the %HomeDirectory%\rabbitmq folder:

CngEccCert.key
CngEccCert.pem

The converted files are generated in the RabbitMQ folder inside the default directory (for example, C:\RabbitMq\...).

Copy

$path = "$env:programfiles\Delinea Software Ltd\RabbitMq Helper\net8.0-windows\Examples";
$password = ConvertTo-SecureString "<PlainTextPassword>" -AsPlainText -Force 
$pfxCred = New-Object System.Management.Automation.PSCredential ("Ignored", $password) 

Convert- CngOrEccToPem `
    -PfxPath "$path\localhost.pfx" `
    -PfxCredential $pfxCred `
    -Verbose;