相关文件
openssl.cnf
文件配置
[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 10950
default_md = sha1
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
生成ca文件,脚本(setup_ca.sh
)内容如下:
#!/bin/bash
hr="-------------------------------------------"
br=""
strength=2048
valid=10950
message="Usage: sh setup_ca.sh [certificate authority CN]"
if [ $# -ne 1 ];
then
echo $message
exit 2
fi
if [ $1 = "--help" ];
then
echo $message
exit 2
fi
certauthCN=$1
export OPENSSL_CONF=../openssl.cnf
if [ ! -d ./ca/ ];
then
echo "Creating folder: ca/"
mkdir ca
echo "Creating folder: ca/private/"
mkdir ca/private
echo "Creating folder: ca/certs/"
mkdir ca/certs
echo "Creating folder: ca/serial"
echo "01" > ca/serial
echo "Creating file: ca/index.txt"
touch ca/index.txt
fi
cd ca
openssl req -x509 -newkey rsa:{
mathJaxContainer[0]}valid -out cacert.pem -outform PEM -subj /CN=$certauthCN/ -nodes
openssl x509 -in cacert.pem -out cacert.cer -outform DER
cd ..
生成服务器证书,脚本(make_server_cert.sh
)内容如下:
#!/bin/bash
hr="-------------------------------------------"
br=""
strength=2048
valid=10950
message="Usage: sh make_server_cert.sh [server name] [PKCS12 password]"
if [ $# -ne 2 ];
then
echo $message
exit 2
fi
if [ $1 = "--help" ];
then
echo $message
exit 2
fi
sname=$1
password=$2
export OPENSSL_CONF=../openssl.cnf
if [ ! -d ./server/ ];
then
echo "Creating Server folder: server/"
mkdir server
fi
cd server
echo "Generating key.pem"
openssl genrsa -out key.pem $strength
echo "Generating req.pem"
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$sname/O=server/ -nodes
cd ../ca
echo "Generating cert.pem"
openssl ca -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
cd ../server
echo "Generating keycert.p12"
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:$password
cd ..
生成客户端证书,脚本(create_client_cert.sh
)内容如下:
#!/bin/bash
hr="-------------------------------------------"
br=""
strength=2048
valid=10950
message="Usage: sh create_client_cert.sh [client name] [PKCS12 password]"
if [ $# -ne 2 ];
then
echo $message
exit 2
fi
if [ $1 = "--help" ];
then
echo $message
exit 2
fi
cname=$1
password=$2
export OPENSSL_CONF=../openssl.cnf
if [ ! -d ./client/ ];
then
echo "Creating folder: client/"
mkdir client
fi
cd client
echo "Generating key.pem"
openssl genrsa -out key.pem $strength
echo "Generating req.pem"
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$cname/O=client/ -nodes
cd ../ca
echo "Generating cert.pem"
openssl ca -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
cd ../client
echo "Generating keycert.p12"
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:$password
cd ..
步骤:
我这里以Linux为例,目录是/usr. 写一下步骤
首先打开/usr,创建一个文件夹
mkdir testca
拷贝上面所有shell脚本,然后分步骤执行:
#参数是证书颁发机构名
sh setup_ca.sh MyRabbitMQSSL
#生成服务器证书, 第一个参数是服务器名,第二个参数是密码
sh make_server_cert.sh rabbit-server rabbit
#生成客户端证书,第一个参数是客户端名称,第二个参数是密码
sh create_client_cert.sh rabbit-client rabbit
keytool导入证书
keytool -import -alias rabbit-server -file ./server/cert.pem -keystore trustStore -storepass rabbit
此时会提示是否导入证书,输入y
或者是
,然后回车
删除之前导入过的证书,别名为 rabbit-server
keytool -delete -alias rabbit-server -keystore trustStore -storepass rabbit
配置rabbitmq
vi $rabbitmq_home/etc/rabbitmq/rabbitmq.config
文件内容如下:
%% Disable SSLv3.0 and TLSv1.0 support.
[
{
ssl, [{
versions, ['tlsv1.2', 'tlsv1.1']}]},
{
rabbit, [
{
tcp_listeners, [5672]},
{
ssl_listeners, [5671]},
{
ssl_options, [{
cacertfile,"/usr/testca/ca/cacert.pem"},
{
certfile,"/usr/testca/server/cert.pem"},
{
keyfile,"/usr/testca/server/key.pem"},
{
verify, verify_peer},
{
fail_if_no_peer_cert, true},
{
versions, ['tlsv1.2', 'tlsv1.1']}
]}
]}
].
保存.
重启rabbitmq.
#关闭服务
rabbitmqctl stop
#启动服务
rabbitmq-server -detached
#查看状态
rabbitmqctl status
编写java测试类
import com.rabbitmq.client.Channel;
import com.rabbitmq.client.Connection;
import com.rabbitmq.client.ConnectionFactory;
import com.rabbitmq.client.GetResponse;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import java.io.FileInputStream;
import java.security.KeyStore;
public class ValidatingCert{
public static void main(String[] args) throws Exception{
char[] keyPassphrase = "rabbit".toCharArray(); //证书密码
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream("keycert.p12"), keyPassphrase);//把client目录keycert.p12拷贝到项目里面
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, keyPassphrase);
char[] trustPassphrase = "rabbit".toCharArray(); //证书密码
KeyStore tks = KeyStore.getInstance("JKS");
tks.load(new FileInputStream("trustStore"), trustPassphrase);//把/usr/testca/目录的trustStore拷贝到项目里面
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(tks);
SSLContext c = SSLContext.getInstance("TLSv1.1");
c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
ConnectionFactory factory = new ConnectionFactory();
factory.setHost("192.168.0.111");//rabbitmq server
factory.setPort(5671);
factory.useSslProtocol(c);
Connection conn = factory.newConnection();
Channel channel = conn.createChannel();
channel.queueDeclare("rabbitmq-queue", false, true, true, null); //rabbitmq-queue是rabbitmq队列
channel.basicPublish("", "rabbitmq-queue", null, "Test,Test".getBytes());
GetResponse chResponse = channel.basicGet("rabbitmq-queue", false);
if (chResponse == null){
System.out.println("No message retrieved");
}else {
byte[] body = chResponse.getBody();
System.out.println("Recieved: " + new String(body));
}
channel.close();
conn.close();
}
}