-1

I need to run RabbitMQ and Mosquitto brokers in SSL mode. I assume that I need CA certificate to generate server key and certificate. How can I obtain this? I need trusted one - not self signed. I searched for it over the web, but services like let's encrypt offers only domain-based SSL keys for webpages, I could not find anything for myself, or maybe I have not been looking good.

Thanks for suggestions

Kal

Kal800
  • 9
  • 1
    Trusted by who? Your own systems or specific third parties or general outside clients? – u1686_grawity Sep 01 '23 at 13:19
  • There are two ways. You purchase a SSL/TLS certificate that is trusted by the system or you generate your own certificate with OpenSSL and manually trust the certificate. If you have a specific question about how to generate your question you should edit your question and specify which step of the process your stuck on exactly – Ramhound Sep 01 '23 at 13:19
  • my own systems - I need to build dev environment being compliant to customer's in a way that connection strings would be the same expect IP address and I would not want to put --insecure mode to them. – Kal800 Sep 01 '23 at 13:22
  • @Kal800 - Describe in detail the customer’s compliance requirements by editing your question. The connection string being the same as little to do with making that connection secure by using encryption – Ramhound Sep 01 '23 at 13:33
  • @Kal800 Please see this answer – JW0914 Mar 07 '24 at 13:11

1 Answers1

1

If you only need the certificate to be trusted by your own systems – create your own CA and tell your systems to trust that. It's a common procedure in enterprise networks, especially for systems that won't be exposed to outside (or where public CAs aren't trusted enough).

There are many tools for building your own X.509 CA and issuing TLS certificates from it (or any other type of X.509 certificate). The root CA certificate can then be deployed to all your systems the same way as other configuration.

It is possible to issue them for IP addresses – although you really should not set up your environment to rely on fixed IP addresses to begin with; requiring an IP-based certificate for anything other than a DNS server is often a sign of bad design.

services like let's encrypt offers only domain-based SSL keys

The certificates being domain-based is an integral part of SSL/TLS having "trusted" certificates. Merely having "a trusted certificate" is meaningless; what makes it useful is that the certificate is issued for a specific identity and that you (or rather, your software) can match it against the entity that you're connecting to.

Since most TLS communications are made to a system where the client knows it wants to connect to the holder of a specific domain name, that's also what the certificates are issued for. (Generally that's also the case even for internal systems – while connecting services by IP address seems easy, it's a time-delay headache.)

for webpages

They're not limited to webpages. They're SSL/TLS server certificates. There's no difference in using them for HTTPS or RabbitMQ.

u1686_grawity
  • 452,512
  • Thanks for suggestions. I'm sorry, but the PKI, SSL are not my strongest points. You are suggesting that my systems should trust my self generated CA cert. But how can I make them trust them? I need to make connection both to MQTT and Rabbit from .NET Web API and from C application on OpenWrt devices. – Kal800 Sep 01 '23 at 13:34
  • Whichever TLS library you use will have this documented, and will have either an API to specify a custom "trusted CA" file and/or documentation on adding your CA to the system-wide one. For OpenSSL or wolfSSL on OpenWRT, that's something that most TLS-using programs already have to do (e.g. wolfSSL_CTX_load_verify_locations(); for .NET apparently there's this and this. – u1686_grawity Sep 01 '23 at 13:44
  • @Kal800 - Add them to the system’s certificate store. Adequate amount of research will be necessary to accomplish your task. – Ramhound Sep 01 '23 at 14:27
  • @Kal800 - they are saying that you can create your own Certificate Authority which is itself a whole other beast of management because you would then have to manage the CA certificate in your root of trust. If these systems, even in dev, are a part of a domain, you could get a wildcard certificate from a certificate authority that covers the scope of those systems (e.g. *.dev.domain.com). – signus Mar 07 '24 at 09:37
  • @signus Managing a CA, and the ICAs/certs it signs, for personal use is extremely easy via the index file - see the second bullet under #3 or the index heading within this answer. I prefer to manually manage mine, but it can be auto-managed by signing certs via openssl ca instead of openssl x509. – JW0914 Mar 07 '24 at 13:18