How to add multiple RootCA in RabbitMQ Config (windows)?

[Srikanth P Vasist]

{ssl_options, [{cacertfile,"c:/rootCA.pem"},
                   {certfile,"c:/Server.pem"},
                   {keyfile,"c:/Server.key"},
                   {verify,verify_peer},
                   {fail_if_no_peer_cert, true}]},

Above is the piece of config file that I am using. It works fine. The problem is I need to add multiple RootCA as the client uses different CA than Server and I need to trust both of them. I did some Googling and found {cacerts} tag which doesn't seem to work. Please help me on how to add multiple CA in RabbitMQ config in windows.

[Michael Klishin]

On 14 July 2015 at 11:49:07, Srikanth P Vasist (spva...@gmail.com) wrote:
> The problem is I need to add multiple RootCA as the client uses
> different CA than Server and I need to trust both of them. I did
> some Googling and found {cacerts} tag which doesn't seem to work.
> Please help me on how to add multiple CA in RabbitMQ config in windows.

Multiple as in chained CAs? 
--
MK

Staff Software Engineer, Pivotal/RabbitMQ

[spva...@gmail.com]

No. different CAs altogether. for e.g. MicrosoftCA and GoogleCA

Thanks and Regards,

Srikanth

[Michael Klishin]

 On 14 Jul 2015 at 15:35:43, spva...@gmail.com (spva...@gmail.com) wrote:
> No. different CAs altogether. for e.g. MicrosoftCA and GoogleCA

A single server can use only one chain of CAs (with self-signed certificates chain length is 1).
Trusted root CAs are typically installed system-wide. A certificate cannot be signed by both
Google and Microsoft CAs (to use your example), though.

This is true for RabbitMQ and every other server I have ever used.

[spva...@gmail.com]

I agree. OK. Now, this is the scenario. RabbitMQ Server is configured with server.pem which is signed by serverCA.pem. I am trying to connect using a client certificate client.pem which is signed by clientCA.pem. I have an entry {verify,verify_peer} which would fail if clientCA is not in trusted list of rabbitmq config. Correct me if I am wrong and please suggest how to deal with this problem

Thanks and Regards,

Srikanth

[Michael Klishin]

On 14 July 2015 at 15:51:44, spva...@gmail.com (spva...@gmail.com) wrote:
> Now, this is the scenario. RabbitMQ Server is configured with
> server.pem which is signed by serverCA.pem. I am trying to connect
> using a client certificate client.pem which is signed by clientCA.pem.
> I have an entry {verify,verify_peer} which would fail if clientCA
> is not in trusted list of rabbitmq config. Correct me if I am wrong
> and please suggest how to deal with this problem

You are correct. You need to add clientCA.pem to the list of trusted
certificates on all RabbitMQ cluster nodes. How that's done depends on your OS
and version/distribution.

Some examples:
http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html 

[spva...@gmail.com]

OMG! Are you saying it is sufficient to add client rootca to certificate store of windows and need not list in RabbitMQ config?

Thanks for your help!

Thanks and Regards,

Srikanth

[Michael Klishin]

On 14 July 2015 at 16:01:45, spva...@gmail.com (spva...@gmail.com) wrote:
> OMG! Are you saying it is sufficient to add client rootca to certificate
> store of windows and need not list in RabbitMQ config?

Root CA certificates are typically installed system-wide. 

[spva...@gmail.com]

Does RabbitMQ use OpenSSL to verify certificate chain in case of EXTERNAL authentication mechanism? I am asking this question because of recent OpenSSL vulnerability. 

Thanks and Regards,

Srikanth

[Michael Klishin]

 On 14 July 2015 at 16:20:57, spva...@gmail.com (spva...@gmail.com) wrote:
> Does RabbitMQ use OpenSSL to verify certificate chain in case
> of EXTERNAL authentication mechanism? I am asking this question
> because of recent OpenSSL vulnerability.

RabbitMQ relies on the Erlang runtime for anything related to TLS.

Not sure which OpenSSL vulnerability you are talking about but I'll assume CVE-2015-1793 [1],
which was announced last week.
Erlang/OTP only uses OpenSSL for crypto functions, not TLS state machine and negotiation,
so that particular issue doesn't affect it as far as I can tell. Feel free to clarify on the Erlang mailing list.

Also, please start new threads for new questions.

1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793

[spva...@gmail.com]

On 14 July 2015 at 19:00, Michael Klishin <mkli...@pivotal.io> wrote:

RabbitMQ relies on the Erlang runtime for anything related to TLS.

Not sure which OpenSSL vulnerability you are talking about but I'll assume CVE-2015-1793 [1],
which was announced last week.
Erlang/OTP only uses OpenSSL for crypto functions, not TLS state machine and negotiation,
so that particular issue doesn't affect it as far as I can tell.

[spva...@gmail.com]

Thank you so much!

Thanks and Regards,

Srikanth

[spva...@gmail.com]

Hi,

Adding clientCA to trusted list in windows as your link suggests is not working. For me, it never worked if CA which signed the client certificate is different from CA which signed server certificate of rabbitmq no matter clientCA is added to trust list in windows certificate store. Please help.

Thanks and Regards,

Srikanth

On 14 July 2015 at 18:23, Michael Klishin <mkli...@pivotal.io> wrote:

[Michael Klishin]

On 15 July 2015 at 12:58:16, spva...@gmail.com (spva...@gmail.com) wrote:
> Adding clientCA to trusted list in windows as your link suggests
> is not working. For me, it never worked if CA which signed the client
> certificate is different from CA which signed server certificate
> of rabbitmq no matter clientCA is added to trust list in windows
> certificate store. Please help.

Srikanth,

We are getting a bit outside of the scope of this list. This is not a list about
PKI, TLS or how to manage CA certificates on Windows. This list is about RabbitMQ
and as far as RabbitMQ goes, we've provided you with enough information.

You need to add the CA that signed client's certificate to the trusted list
on all server nodes. You now have enough information, please take it on your own  from here.

[spva...@gmail.com]

Sorry if my messages looked outside the scope but it isn't.

Actually my question was, RabbitMQ is accepting connections only if client certificate is also signed by the same CA as server. Otherwise it is rejecting connections saying unknown ca no matter whether the client RootCA is added to trusted root of any OS (not necessarily windows). This completely a RabbitMQ related question. I have read {cacerts} tag. As adding client CA to trusted is not working, I am just checking is there any way through which I can add client root Ca in rabbitMQ config?

Thanks and Regards,

Srikanth

[Michael Klishin]

On 15 July 2015 at 13:27:32, spva...@gmail.com (spva...@gmail.com) wrote:
> Sorry if my messages looked outside the scope but it isn't.
> Actually my question was, RabbitMQ is accepting connections
> only if client certificate is also signed by the same CA as server.
> Otherwise it is rejecting connections saying unknown ca no matter
> whether the client RootCA is added to trusted root of any OS (not
> necessarily windows). This completely a RabbitMQ related question.

Your question is "how do I add a trusted CA certificate"…

 
> I have read {cacerts} tag. As adding client CA to trusted is not
> working, I am just checking is there any way through which I can
> add client root Ca in rabbitMQ config?

…and I explained how this works in one of the earlier replies.
Trusted root CAs are managed system-wide. With RabbitMQ, Apache, and
every reasonably popular data store or service I have used.

The only other relevant thing I didn't mention so far is verification
depth: see "Certificate Chains and Verification Depth" on http://www.rabbitmq.com/ssl.html. 

[spva...@gmail.com]

Fine. Thanks for your help so far. But the fact is RabbitMQ doesn't seem to look in Operating System's(atleast in windows) trusted certificate list but just check only the cacertfile entry in RabbitMQ config file. I learnt this with my experiment. 

Anyway thank you so much.

Thanks and Regards,

Srikanth

[Michael Klishin]

So you tried something that you didn't realize exists just a day ago, it didn't work, and RabbitMQ is the only possible cause?

If RabbitMQ only used the server CA certificate, how man people would be able to deploy it with TLS at all?

Please learn about how PKI works and stop blaming the tools you use.

MK

[spva...@gmail.com]

Blaming tools is not of my interest and I know how PKI works(fairly). And, I also know many people have already deployed which I am not able to do. That means I am missing something which is what I am interested in. 

Thanks and Regards,

Srikanth

[Mouse]

Here is the problem. Adding certificates to the system certificate store (whatever shape or form it may take on whatever platform) has nothing to do with how rabbitmq-server authenticates incoming TLS connections.

In the code below, Srikanth pointed out at the ssl_options config parameter set of rabbitmq-server, specifically cacertfile. This attribute is indeed responsible for what CAs are actually recognized by the RabbitMQ server.

In other words this file contains certficate(s) of the Root CAs that rabbitmq-server would accept.

For the OP, the way to have RabbitMQ broker to accept certificates issued by more than one CA, is to append root certificates (in PEM format) of those CAs to one file, say Joint_CA.pem, and point cacertfile attribute to that file. It is really simple.

I don't know how it is done on Windows, but on Unix you would do something like

$cat clientRootCA.pem >> Joint_CA.pem

$ cat serverRootCA.pem >> Joint_CA.pem

$ cat partnerRootCA.pem >> Joint_CA.pem

and then have your cacertfile attribute look like:

{cacertfile, "c:\Joint_CA.pem"}

or wherever that combined file is.

Hope this helps.

[Mouse]

Forgot to mention that https://www.rabbitmq.com/ssl.html mentions this method in the Trust the Client's Root CA subsection.

[João Portela]

Sorry to hijack this thread, but as a follow up:

I assume we have to supply both the client and server CAs in the {cacertfile, "c:\Joint_CA.pem"} config. What if I have serverRootCA.pem for my server certificates but I only want to trust clientRootCA.pem when validating my clients? Is it possible?

[Michael Klishin]

On 10 November 2015 at 21:30:29, João Portela (ei0...@gmail.com) wrote:
> I assume we have to supply both the client and server CAs in the
> {cacertfile, "c:\Joint_CA.pem"} config. What if I have serverRootCA.pem
> for my server certificates but I only want to trust clientRootCA.pem
> when validating my clients? Is it possible?

I believe the entire chain of CA certificates in cacertfile will be treated as  trusted.

[João Portela]

Ok. Seems fair.
I guess I'm going at this the wrong way anyway. Just wanted to be sure of its capabilities.

--

João Portela