-
Notifications
You must be signed in to change notification settings - Fork 46
Securing NSQ with TLS and Auth
Note: This document is still being worked on as of 2015-08-23. It's currently a scratch pad for a tutorial.
To generate a new public/private key pair:
openssl req -x509 -newkey rsa:2048 -keyout privatekey.pem -out cert.pem -days 3650 -nodes
Tip: Make sure the Common Name is your hostname or FQDN, whichever you'll be using to connect to nsqd.
To allow nsqd to accept TLS upgrade requests:
nsqd -tls-cert="cert.pem" -tls-key="privatekey.pem"
To enforce TLS:
nsqd -tls-cert="cert.pem" -tls-key="privatekey.pem" -tls-required=1
Note: -tls-required=1
effectively shuts off the HTTP endpoint.
To listen on HTTPS:
nsqd -tls-cert="cert.pem" -tls-key="privatekey.pem" -tls-required=1 -https-address=0.0.0.0:4152
To convert a public/private key pair in PEM format to PKCS#12:
openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out nsq.pfx
Convert PKSC#12 to PEM:
openssl pkcs12 -in nsq.pfx -out keystore.pem -nodes
openssl pkcs12 -in nsq.pfx -out cert.pem -nodes -nokeys
openssl pkcs12 -in nsq.pfx -out privatekey.pem -nodes -nocerts
Resources:
- https://en.wikipedia.org/wiki/Public-key_cryptography
- https://www.sslshopper.com/article-most-common-openssl-commands.html
- https://jamielinux.com/docs/openssl-certificate-authority
- http://tools.ietf.org/html/rfc5280#page-71
Windows:
- http://stackoverflow.com/questions/7331666/c-sharp-how-can-i-validate-a-root-ca-cert-certificate-x509-chain
- http://stackoverflow.com/questions/23935820/how-can-i-create-a-p12-file-without-a-private-key
More Windows: