After you configure the primary RabbitMQ server, you must create self-sign SSL certificates for it.

About this task

In the following example, there are two CentOS hosts and one Load Balancer server.

Prerequisites

To use keytool command, you must have Java installed. You have two options:

  • Install Java on your system.

  • Run the keytool command on another system that has it installed and copy the certificates to the RabbitMQ servers after their creation.

Procedure

  1. Create a public and a private key.
    Important:

    The SAN attribute contains DNS names and IP addresses of all of the RabbitMQ hosts and the load balancer. You must update the values in the command to match your environment. The CN attribute must contain a wildcard for the domain. Because this is a self-signed certificate, the root certificate and the server certificate are the same.

    keytool -genkeypair \
    -keystore rootca.jks \
    -storepass vmware \
    -keyalg RSA \
    -validity 365 \
    -keypass vmware \
    -alias rabbitmq \
    -dname "CN=*.corp-ext.local,OU=Test, O=Corp, L=Palo Alto S=CA C=US" \
    -ext san=\
    dns:test2.corp-ext.local,dns:test3.corp-ext.local,dns:testrabbitmqlb.corp-ext.local,\
    ip:172.31.3.39,ip:172.31.3.40,ip:172.31.3.41
    Note:

    You can change the validity period of the certificate by adjusting the validity value in the command. In the example, the created certificate is valid for 365 days.

  2. Import the RabbitMQ key pair to the PKCS12 trust store.
     keytool -importkeystore -srckeystore rootca.jks \
    -destkeystore foo.p12 -deststoretype pkcs12\
    -srcstorepass vmware -deststorepass vmware \
    -alias rabbitmq
  3. Convert the key pair file to PEM format.
    openssl pkcs12 -in foo.p12 \
    -out foo.pem -passin pass:vmware \
    -passout pass:vmware
  4. Extract the encrypted private key.
    sed -n '/-----BEGIN ENCRYPTED PRIVATE KEY-----/,/-----END ENCRYPTED PRIVATE KEY-----/p' \
    foo.pem > enc.pem
  5. Decrypt the private key.
    openssl rsa  -in enc.pem  \
    -out unenc.pem  -passin pass:vmware
  6. Extract the certificate.
    sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
    foo.pem > cert.pem
  7. Install the self-signed certificates by copying them to the newly created directories.

    copy cert.pem /etc/rabbitmq/testca/cacert.pem

    copy cert.pem /etc/rabbitmq/server/cert.pem

    copy unenc.pem /etc/rabbitmq/server/key.pem

    copy cert.pem /etc/rabbitmq/client/cert.pem

    copy unenc.pem /etc/rabbitmq/client/key.pem

  8. Change the ownership of the newly created directories.

    chown -R rabbitmq: /etc/rabbitmq/testca
    chown -R rabbitmq: /etc/rabbitmq/server
    chown -R rabbitmq: /etc/rabbitmq/client
  9. Start and enable the rabbitmq-server service.
    service rabbitmq-server start
    chkconfig rabbitmq-server on