How do your clients address the broker when they connect to it? Do they address it as ourmq.ourco.com, or as ourmq? The cert needs to match whatever method they use to connect, though if you're not self-signing your certs, FQDN is about to become the only option per this article: https://www.godaddy.com/help/can-i-request-a-certificate-for-an-intranet-name-or-ip-address-6935
On Aug 15, 2016 3:46 AM, "KenHall" <ha...@dnb.com> wrote: > > We are trying to use ACtiveMQ SSL with target-only authentication with a > trusted cert from DigiCert. We were able to use SSL with self-signed certs > but we seem to have an issue when we > > move to using a commercial trusted cert. Looking at the documentation here: > > https://access.redhat.com/documentation/en-US/Fuse_ESB_ > Enterprise/7.1/html/ActiveMQ_Security_Guide/files/SSLUseCerts.html > > It seems that the relevant piece of the documentation is this : > > The broker is configured to have its own certificate and private key, which > are both stored in the file, broker.ks. The client is configured to have a > trust store, client.ts, that contains > > the certificate that originally signed the broker certificate. Normally, > the > trusted certificate is a Certificate Authority (CA) certificate. > > We have received two certs from digicert for our server ourmq.ourco.com > which hosts the MQ broker instance that we want to communicate with via > SSL. > These certs are ourmq_ourco_com.crt and > > digiCertCA.crt. > > I have put the broker certificate (ourmq_ourco_com.crt) and the > DigicertCA.crt certificate into broker.ts in the conf directory of the > broker MQ installation: > > > keytool -import -file /home/myuser/DigiCertCA.crt -keystore broker.ks > -alias "digiCertCA" > keytool -import -file /home/myuser/ourmq_ourco_com.crt -keystore > broker.ks > -alias "ourmq.ourco.com" > > > I have also changed the broker configuration to create the ssl transport > entry on the desired port. I have NOT made any changes with regard to the > SSL context as I am using the default keystore (broker.ts) in the conf > directory of the ActiveMQ installation and therefore believe that I don't > have to create a new SSL context > > I believe that the only thing that we should have to do is put the > digiCertCA certificate into the client.ts truststore in the conf directory > of the MQ instance on the client. We will also > > have to make sure that our client can see ourmq.ourco.com by putting the > following entry in the /etc/hosts file on our client: > > 111.222.111.222 ourmq.ourco.com > > We are accessing the Broker from the client using Java. > > We have tried this and it doesn't work but I believe we have other issues > so > I just want to confirm that our approach with regard to the installation of > the certificates is correct. > > Thanks > > > > -- > View this message in context: http://activemq.2283324.n4. > nabble.com/Using-Trusted-Cert-with-ActiveMQ-SSL-tp4715473.html > Sent from the ActiveMQ - User mailing list archive at Nabble.com. >
