TLS/SSL certificates in RabbitMQ Part 1

RabbitMQ

Essentially all modern servers on the internet use TLS/SSL certificates to verify their authenticity. RabbitMQ servers managed by CloudAMQP are no exception. In this 2-part series, you get a walk-through of how TLS/SSL works, how RabbitMQ handles certificates and how you can set up client authentication for stronger security.

TLS/SSL: minimizing risk of fraud

Running RabbitMQ clusters on CloudAMQP provides a secure environment for your data. Security typically involves a combination of firewalls, VPC peering, or PrivateLink to control message broker access. For some customers, the use of TLS certificates can be of additional benefit as it’s letting the client and the server verify each other, ensuring that they both are who they claim to be before any data is sent.

For highly sensitive data, the usage of certificates might in some cases be required by company policies and laws. In a CloudAMQP environment, the support for TLS/SSL is available both for server verification (ensuring that your data is sent safely) and by the usage of client certificates (meaning that clients connecting to RabbitMQ is authorized).

This extra layer of security can be enabled and configured by CloudAMQP customers to suit the company needs and requirements, something that we will explain in depth in part 2 of this blog.

Take me to part 2

But, as an overview - lets look into these two…

Server verification

As mentioned, RabbitMQ servers managed by CloudAMQP use TLS/SSL certificates to verify their authenticity. To provide certificates for CloudAMQP RabbitMQ clusters, we use Let's Encrypt.

Please note:

  • Most trust stores have their root CA by default, if not, the certificate can be added manually in the client connection parameters. A link to the root CA can be found in our documentation.
  • It is possible for RabbitMQ to skip server verification by specifying verify_peer = none in the connection parameters, although this setting is not recommended since doing so increases the risk of man-in-the-middle attacks.

Using client certificates in RabbitMQ

The default configuration in CloudAMQP clusters does not require client certificates. You must decide whether they are necessary for your use case.

For RabbitMQ clients, there are two primary ways of using CA certificates:

  • Verify the source: This approach can be very beneficial when a connecting system, like a service or machine - needs to be verified as trusted. An example would be in an setup where backend services connects to RabbitMQ.
  • Verify a user: This uses certificate details to authenticate and confirm that the client is authorized. This approach is used to ensure that specific clients only get access to what's specified in the certificate.

The implementation of these two verification approaches differs, and the following section will provide a deep dive into how they can impact your setup. You will also get specific configuration steps for enabling TLS/SSL certificates.

Take me to part 2

CloudAMQP and security

Enabling TLS/SSL is one way of fine-tuning the security of your cluster. In the following links, you can read more about what CloudAMQP is doing to ensure that you achieve the level of secure messaging that you need.

Docs - Security

Security and Compliance - CloudAMQP

If you have further questions and need information about security on CloudAMQP, send an email to contact@cloudamqp.com

Chad Knutson

CloudAMQP

Free Ebook

"The Optimal
RabbitMQ Guide"

CloudAMQP - industry leading RabbitMQ as a service

Start your managed cluster today. CloudAMQP is 100% free to try.

Start your FREE plan today!

13,000+ users including these smart companies