You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by Andrew Stitcher <as...@redhat.com> on 2012/05/10 23:23:26 UTC
Setting up SSL certs to run broker on Windows
Simple enough question - how do I set up the appropriate certificates
and certificate stores to get ssl working on a C++ windows broker?
(I hope that answer's simple too, but I have some doubts!)
Thanks
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
RE: Setting up SSL certs to run broker on Windows
Posted by Steve Huston <sh...@riverace.com>.
Not terribly simple, but this is a good place to start. Yes, it talks in
terms of IIS... that's the way I got it to work way back when.
http://technet.microsoft.com/en-us/library/cc732230.aspx
> -----Original Message-----
> From: Andrew Stitcher [mailto:astitcher@redhat.com]
> Sent: Thursday, May 10, 2012 5:23 PM
> To: Qpid Dev List; Steve Huston; Clifford Jansen
> Subject: Setting up SSL certs to run broker on Windows
>
> Simple enough question - how do I set up the appropriate certificates and
> certificate stores to get ssl working on a C++ windows broker?
>
> (I hope that answer's simple too, but I have some doubts!)
>
> Thanks
>
> Andrew
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org For additional
> commands, e-mail: dev-help@qpid.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: Setting up SSL certs to run broker on Windows
Posted by Clifford Jansen <cj...@redhat.com>.
Here is a recipe for using the tools you are used to on Linux and
interoperating with Windows. Hopefully you can find the info you are
looking for buried inside.
For general info, see qpid/cpp/SSL and note in particular that the
current Qpid implementation is Registry based. Type "qpidd --help"
for ssl specific args.
I tried to avoid the GUI on Windows but failed, sorry. I was also
unable to find any way to create a new certificate store without the
hack of creating a sacrificial self signed cert first.
notused.example.com is that sacrificial cert.
I had to run mmc, makecert, and qpidd as an administrator. I could
run qpid-perftest without exalted privilege.
I used two separate stores on Linux, but that wasn't necessary.
CASE 1: Windows client + Linux broker (linux1.example.com)
[ on Linux ]
$ pwd
/b/amqp/b/q16b9/ssltest/l
$ export QPID_SSL_CERT_PASSWORD_FILE=`pwd`/pwf
$ export QPID_SSL_CERT_DB=`pwd`/db
$ export QPID_SSL_CERT_NAME=linux1.example.com
$ echo secret >pwf
$ mkdir db
$ certutil -N -d ${QPID_SSL_CERT_DB} -f ${QPID_SSL_CERT_PASSWORD_FILE}
$ certutil -S -d ${QPID_SSL_CERT_DB} -n ${QPID_SSL_CERT_NAME} -s "CN=${QPID_SSL_CERT_NAME}" -t "CT,," -x -f ${QPID_SSL_CERT_PASSWORD_FILE} -v 36
[ entropy stuff ... ]
$
$ /b/amqp/b/q16b9/rt/sbin/qpidd --auth no -p 18641 --ssl-cert-password-file $QPID_SSL_CERT_PASSWORD_FILE --ssl-cert-name $QPID_SSL_CERT_NAME --ssl-port 18642 --ssl-cert-db $QPID_SSL_CERT_DB --module-dir /b/amqp/b/q16b9/rt/lib/qpid/daemon &
[1] 20016
$
[export cert]
$ certutil -L -d ${QPID_SSL_CERT_DB} -n ${QPID_SSL_CERT_NAME} -f ${QPID_SSL_CERT_PASSWORD_FILE} -a >/tmp/linux1.pub.cer
[ on Windows ]
mmc [run as administrator]
File->snap-in->Certificates->add
Computer account [not "User" or "Service"] -> Local computer
Certificates-> Trusted Root CAs -> right click -> all tasks -> Import...
[in wizard] -> browse to linux1.pub.cer -> open -> finish
PS C:\cj\work\amqp\wcf\q1701\bin> .\qpid-perftest.exe -b linux1.example.com -p 5672 -P ssl --count 10000 --summary
CASE 2: Windows broker (win1.example.com) + Linux client
$ mkdir db
$ echo secret >pwf
$ export QPID_SSL_CERT_PASSWORD_FILE=`pwd`/pwf
$ export QPID_SSL_CERT_DB=`pwd`/db
$ pwd
/b/amqp/b/q16b9/ssltest/w
$
$ certutil -N -d ${QPID_SSL_CERT_DB} -f ${QPID_SSL_CERT_PASSWORD_FILE}
$
$ export QPID_SSL_CERT_NAME=win1.example.com
$ certutil -S -d ${QPID_SSL_CERT_DB} -n ${QPID_SSL_CERT_NAME} -s "CN=${QPID_SSL_CERT_NAME}" -t "CT,," -x -f ${QPID_SSL_CERT_PASSWORD_FILE} -v 36
[entropy stuff]
[ this time need to export private key too, so use pk12util ]
$ pk12util -o win1.p12 -n ${QPID_SSL_CERT_NAME} -d ${QPID_SSL_CERT_DB}
Enter Password or Pin for "NSS Certificate DB":secret
Enter password for PKCS12 file: very_secret
Re-enter password: very_secret
pk12util: PKCS12 EXPORT SUCCESSFUL
$
[ on Windows ]
[ hack to create "qpidtest" certificate store ]
cd C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin
makecert -ss qpidtest -n "CN=notused.example.com" -r -sr localmachine notused.cer
[ import the cert for win1.example.com ]
same mmc GUI steps except
right click from "qpidtest" store you just created
browse to win1.p12 and select file type PKCS#12 if it is not listed
PS C:\cj\work\amqp\wcf\q1701\bin> .\qpidd.exe --auth no --no-data-dir --ssl-cert-store qpidtest --ssl-cert-name win1.example.com
[ back on Linux ]
$ export QPID_LOAD_MODULE=/b/amqp/b/q16b9/rt/lib/qpid/client/sslconnector.so
$ env | grep QPID
QPID_LOAD_MODULE=/b/amqp/b/q16b9/rt/lib/qpid/client/sslconnector.so
QPID_SSL_CERT_DB=/b/amqp/b/q16b9/ssltest/w/db
QPID_SSL_CERT_NAME=win1.example.com
QPID_SSL_CERT_PASSWORD_FILE=/b/amqp/b/q16b9/ssltest/w/pwf
$ /b/amqp/b/q16b9/rt/libexec/qpid/tests/qpid-perftest -p 5671 --count 10000 -P ssl --summary -b win1.example.com
464.89 452.492 918.965 0.897427
$
----- Original Message -----
From: "Andrew Stitcher" <as...@redhat.com>
To: "Qpid Dev List" <de...@qpid.apache.org>, "Steve Huston" <sh...@riverace.com>, "Clifford Jansen" <cj...@redhat.com>
Sent: Thursday, May 10, 2012 5:23:26 PM
Subject: Setting up SSL certs to run broker on Windows
Simple enough question - how do I set up the appropriate certificates
and certificate stores to get ssl working on a C++ windows broker?
(I hope that answer's simple too, but I have some doubts!)
Thanks
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org