I have done some research and as I suspected, client certificate authentication is not supported by the management plugin (HTTP UI or API).
I have attached the configuration file I used to test. Notice that this setting is in place for AMQP and HTTP connections:
{verify, verify_peer},
{fail_if_no_peer_cert, true},
This means that client certificates will be required and will be verified to have been signed by the root CA cert pointed to by cacertfile. So, in the case of the management UI and API, this will require a client certificate to be presented. Users and passwords for those certs will have to be created in RabbitMQ in much the same way that you must to establish permissions for client-cert authorized AMQP connections.
rabbitmqctl add_user 'CN=shostakovich' 'test1234'
rabbitmqctl set_user_tags 'CN=shostakovich' management
rabbitmqctl set_permissions 'CN=shostakovich' '.*' '.*' '.*'
Then, the following curl command worked:
curl -4vvv --cert "$HOME/development/michaelklishin/tls-gen/basic/result/client_certificate.pem" --key "$HOME/development/michaelklishin/tls-gen/basic/result/client_key.pem" --cacert "$HOME/development/michaelklishin/tls-gen/basic/result/ca_certificate.pem" 'https://CN=shostakovich:test1234@localhost:15671/api/overview'
In practice, you could use the same user/password for all client-cert authenticated requests, for instance. The following request fails since no client certificate is presented:
$ curl -4vvv --cacert "$HOME/development/michaelklishin/tls-gen/basic/result/ca_certificate.pem" 'https://CN=shostakovich:test1234@localhost:15671/api/overview'* Trying 127.0.0.1... * TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 15671 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /home/lbakken/development/michaelklishin/tls-gen/basic/result/ca_certificate.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
So, in short, it would be nice to read the username from the client cert's
CN= value and not require a password, but that feature would have to be requested more frequently to justify implementing it. Even if it were supported, you would have to add users matching the
CN= value to RabbitMQ to set their tags and permissions, anyway.