We are trying to use ACtiveMQ SSL with target-only authentication with a trusted cert from DigiCert. We were able to use SSL with self-signed certs but we seem to have an issue when we
move to using a commercial trusted cert. Looking at the documentation here: https://access.redhat.com/documentation/en-US/Fuse_ESB_Enterprise/7.1/html/ActiveMQ_Security_Guide/files/SSLUseCerts.html It seems that the relevant piece of the documentation is this : The broker is configured to have its own certificate and private key, which are both stored in the file, broker.ks. The client is configured to have a trust store, client.ts, that contains the certificate that originally signed the broker certificate. Normally, the trusted certificate is a Certificate Authority (CA) certificate. We have received two certs from digicert for our server ourmq.ourco.com which hosts the MQ broker instance that we want to communicate with via SSL. These certs are ourmq_ourco_com.crt and digiCertCA.crt. I have put the broker certificate (ourmq_ourco_com.crt) and the DigicertCA.crt certificate into broker.ts in the conf directory of the broker MQ installation: keytool -import -file /home/myuser/DigiCertCA.crt -keystore broker.ks -alias "digiCertCA" keytool -import -file /home/myuser/ourmq_ourco_com.crt -keystore broker.ks -alias "ourmq.ourco.com" I have also changed the broker configuration to create the ssl transport entry on the desired port. I have NOT made any changes with regard to the SSL context as I am using the default keystore (broker.ts) in the conf directory of the ActiveMQ installation and therefore believe that I don't have to create a new SSL context I believe that the only thing that we should have to do is put the digiCertCA certificate into the client.ts truststore in the conf directory of the MQ instance on the client. We will also have to make sure that our client can see ourmq.ourco.com by putting the following entry in the /etc/hosts file on our client: 111.222.111.222 ourmq.ourco.com We are accessing the Broker from the client using Java. We have tried this and it doesn't work but I believe we have other issues so I just want to confirm that our approach with regard to the installation of the certificates is correct. Thanks -- View this message in context: http://activemq.2283324.n4.nabble.com/Using-Trusted-Cert-with-ActiveMQ-SSL-tp4715473.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.
