Use StartSSL Certificate in Apache Qpid

The Mozilla NSS libraries are unfamiliar to myself and I had a little trouble working out how to import a StartSSL key/certificate stored in PEM files into the format required by qpidd.

The Apache Qpid - Securing Connections with SSL blog post gives a good overview of how to create self-signed certificates with certutil and how to configure qpidd to use them.

Below are the steps that I used to populate the server_db store with my key, certificate and the StartSSL root/intermediate certificates.

  • First step. Export our existing certificates in .p12 format.

    cp myserver.crt myserverwithkey.pem
    cat myserver.key >> myserverwithkey.pem
    openssl pkcs12 -export \
      -in myserverwithkey.pem \
      -out myserver.p12 \
      -name myserver \
      -certfile sub.class2.server.ca.pem
    
  • Now create a qpid server_db certificate store and import into it

    echo "apassword" > /etc/qpid/qpid-ssl.pwd
    mkdir /etc/qpid/server_db
    certutil -N -d /etc/qpid/server_db -f /etc/qpid/qpid-ssl.pwd
    certutil -A -d /etc/qpid/server_db -f /etc/qpid/qpid-ssl.pwd \
             -n "StartSSLCA" \
             -t "TC,," \
             -a -i /etc/ssl/certs/StartCom_Certification_Authority.pem
    pk12util -i myserver.p12 \
             -d /etc/qpid/server_db \
             -k /etc/qpid/qpid-ssl.pwd
    
  • Check that is is all there with

    certutil -L -d /etc/qpid/server_db/
    Certificate Nickname                                         Trust Attributes
                                                                 SSL,S/MIME,JAR/XPI
        
    myserver                                                        u,u,u
    StartCom Class 2 Primary Intermediate Server CA - StartCom Ltd. ,,
    StartSSLCA                                                   CT,,
    
  • If using the Debian/Ubuntu qpidd packages you enable this in /etc/qpid/qpidd.conf

    # SSL Settings
    #ssl-use-export-policy
    ssl-cert-password-file=/etc/qpid/qpid-ssl.pwd
    ssl-cert-db=/etc/qpid/server_db
    ssl-cert-name=royalmail.oldelvet.org.uk
    ssl-port=5672