0

According to the RabbitMQ documentation, any certificate issued by a CA that is in RabbitMQ's certification bundle will be trusted. Therefore, how can this type of authentication be secure if a CA — e.g., certbot — issues many certificates?

For testing purposes, I generated a self-signed CA to sign certificates. The certificate of this self-signed CA was added to the RabbitMQ certification bundle. After that, I signed a client's certificate so that I could perform authentication. Next, I created a user in RabbitMQ whose username matches the CN of the client certificate signed by the self-signed CA. As expected, the authentication was successfully performed. After that, I generated a certificate that was not signed by the same CA, and, as expected, the authentication failed. In this test environment, the entire broker was configured correctly. Certificate-based authentication was the only authentication method enabled during the tests.

However, how can this be secure if, according to the RabbitMQ documentation, the first CA present in the client's certificate is validated?

I hope to understand how this authentication can be secure since I will use it in a RabbitMQ instance in production.

Improve this question

    1 Answer 1

    Reset to default
    2

    For client authentication in RabbitMQ, you're supposed to set up your own PKI and issue client certificates yourself. This is why there's a separate trust store for client certificate verification where you can add your own trust anchor(s) aka root CA(s). So you do not use public CAs like Let's Encrypt.

    It's theoretically possible to (ab)use certificates issued by, e.g., Let's Encrypt for client authentication, but you'd have to jump through hoops to make this work. Each client would need its own public domain, and then you'd have to patch RabbitMQ to only accept client certificates issued for those domains. This doesn't make much sense. The proper solution is to have a private CA for the sole purpose of issuing client certificates for RabbitMQ.

    Improve this answer
    4
    • So, there are no issues with using self-signed certificates to authenticate the client in this case — like MITM?
      – estimate3235
      CommentedMar 23 at 19:09
    • I thought about signing the server's certificate with a public CA so that the client systems can perform mutual TLS, creating a self-signed CA to sign each client system's certificate, and adding its certificate to the RabbitMQ certification bundle. Does this approach seem secure? Thank you for your time!
      – estimate3235
      CommentedMar 23 at 19:10
    • @estimate3235: This is exactly what the RabbitMQ developers want you to do. Every trust anchor (root certificate) is necessarily self-signed. There's nothing insecure about this. As long you keep the private key of the CA secure, you can safely issue client certificates and put the trust anchor into the server's trust store for verifying the certificates.
      – Ja1024
      CommentedMar 23 at 22:46
    • 1
      @estimate3235: Your doubts about self-signed certificates might come from scenarios where a server presents such a certificate and wants you to blindly trust it, rather than getting a certificate from a public and trusted CA like Let’s Encrypt. But you’re not doing this here. You simply create your own PKI and add it to your own server’s trust store, allowing the server to properly validate the client certificates. There’s nothing wrong with this.
      – Ja1024
      CommentedMar 23 at 22:47

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.