RabbitMQ TLS Certificate requirements

TLS Certificates for RabbitMQ must comply with the following rules:

  • The Common name must match the host FQDN.

  • The Subject alternative name for the host NetBIOS name.

  • The Subject alternative name for the cluster name (if you want to implement a RabbitMQ cluster).

  • The certificate must have a private key.

  • The certificate must support Server Authentication.

  • The key size of at least 2048 bits or higher.

    You can manually convert CNG and/or ECC certificates with OpenSSL. See Convert a CNG or ECC certificate to PEM File.

  • (Optional) The certificate is installed in the machine’s local certificate store if possible. Not all certificate formats and certificate authorities support this.

  • The certificate must come from a certificate authority with a certificate in the Trust Root Certification Authorities store on the host.

Exporting the machine certificate for use with RabbitMQ

To export the machine certificate:

  1. Open the Certificate Manager.

  2. Press Win + R to open the Run dialog.

  3. Type certmgr.msc and press Enter.

  4. In the Certificate Manager, go to Personal > Certificates.

  5. Find the certificate you want to export.

  6. Right-click the certificate and select All Tasks > Export.

  7. The Certificate Export Wizard will open. Select Next.

  8. Select Yes, export the private key and then, select Next.

  9. Ensure that Personal Information Exchange - PKCS #12 (.PFX) is selected.

  10. Check Password and enter a password to protect the PFX file. Confirm the password and select Next.

  11. Select Browse to choose the location and file name for the PFX file.

  12. Enter the desired file name and select Save.

  13. Select Next and review the settings.

  14. Select Finish to complete the export process.

Exporting the Certificate Authority certificate for use with RabbitMQ

To export the Certificate Authority certificate:

  1. Open the Certificate Manager.

  2. Press Win + R to open the Run dialog.

  3. Type certmgr.msc and press Enter.

  4. In the Certificate Manager, go to Trusted Root Certification Authorities > Certificates.

  5. Find the root certificate you want to export.

  6. Right-click the certificate and select All Tasks > Export.

  7. The Certificate Export Wizard will open. Select Next.

  8. Choose DER encoded binary X.509 (.CER).

  9. Select Browse to choose the location and file name for the CER file.

  10. Enter the desired file name and select Save.

  11. Select Next and review the settings.

  12. Select Finish to complete the export process.

Manually converting a non-TLS RabbitMQ to use TLS

Converting the host PFX certificate

  1. Install OpenSSL.

    You can also choose another service for the certificate conversion.

  2. Run the "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in <filename>.pfx -nocerts -out key.pem:

    1. Enter password created when the PFX was created.

    2. Enter a password to use for the PEM (best to use the same password as the PFX).

  3. Run the "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem using the original PFX password.

  4. Run the "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" rsa -in key.pem -out cert.key using the newly created password.

Converting the Trusted Root Certificate Authority Certificate

Run the "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" x509 -in ca.cer -outform pem -out ca.pem.

The complete example looks like the following:

  • "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in c:\temp\RMQCLUSTER3.pfx -nocerts -out c:\temp\key.pem

  • "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in c:\temp\RMQCLUSTER3.pfx -clcerts -nokeys -out c:\temp\cert.pem

  • "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" rsa -in c:\temp\key.pem -out c:\temp\cert.key

  • "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" x509 -in c:\temp\ca.cer -outform pem -out c:\temp\ca.pem

If the process was successful, you should have the following files ready for use with RabbitMQ:

  • ca.pem

  • cert.pem

  • cert.key

Updating the RabbitMQ config to use TLS

To make necessary updates to use TLS in the RabbitMQ:

  1. Copy the ca.pem, cert.pem, and cert.key to c:\RabbitMQ location on your RabbitMQ host.

  2. Run notepad as administrator and open C:\RabbitMq\rabbitmq.conf.

  3. Add the following lines to the end of the config file:

    listeners.ssl.default = 5671

    ssl_options.versions.1 = tlsv1.2

    ssl_options.versions.2 = tlsv1.3

    ssl_options.verify = verify_peer

    ssl_options.fail_if_no_peer_cert = false

    ssl_options.cacertfile = C:\\RabbitMq\\ca.pem

    ssl_options.certfile = C:\\RabbitMq\\cert.pem

    ssl_options.keyfile = C:\\RabbitMq\\cert.key

    The complete example will look like the following:

    listeners.tcp.default = 5672

    # logging to file and/or to an exchange

    # log.dir = C:\\temp

    log.file = rabbit@RMQCLUSTER3.log

    # log.file = false

    log.file.level = error

    # log.exchange = true

    # log.exchange.level = error

    listeners.ssl.default = 5671

    ssl_options.versions.1 = tlsv1.2

    ssl_options.versions.2 = tlsv1.3

    ssl_options.verify = verify_peer

    ssl_options.fail_if_no_peer_cert = false

    ssl_options.cacertfile = C:\\RabbitMq\\ca.pem

    ssl_options.certfile = C:\\RabbitMq\\cert.pem

    ssl_options.keyfile = C:\\RabbitMq\\cert.key