[rabbitmq-discuss] RabbitMQ .Net Client connecting without a passphrase

Matthias Radestock matthias at rabbitmq.com
Wed Apr 2 09:05:06 BST 2014

On 01/04/14 13:31, Vinay Nayak wrote:
> We have managed to get an authenticate-authorise with server-client
> certificates set-up on our RabbitMQ server.
> However the fact that in the client code we pass a certificate with a
> key (i.e. p12 file) and a passphrase to connect to the server makes us a
> little uncomfortable.
> The fact that we are passing a Passphrase implies that RabbitMQ uses the
> passphrase to decrypt the p12 file, retrieve the key, use the key to get
> the CA details from the certificate and then check if the CA is trusted
> or not; instead of RabbitMQ contacting the CA server to verify the
> certificate presented by the client.
> The above can be absolute bollocks, if it is can someone please explain
> what goes under the hood.

I am afraid the above is indeed absolute bollocks :)

The client needs the key for its own certificate, just like the server 
needs the key for its own certificate. That's how PKI works - each party 
needs to know their own key (only). The key is not passed to the other 

Also, there is no such thing as a "CA server"; cert validation is a 
local operation.



More information about the rabbitmq-discuss mailing list