TLS/SSL documentation is quite low-level, needs a step-by-step tutorial

[mlsomers]

Is your feature request related to a problem? Please describe.

Generating a CSR and using it to get and install a TLS/SSL in IIS can be achieved by almost anyone using a step-by-step guide like for example this one: https://www.digicert.com/kb/csr-creation-ssl-installation-iis-10.htm

The TLS/SSL documentation for RabbitMQ is quite low-level. I was able to get it working om my DEV machine using the visual studio command prompt, generating a CA certificate and a SSL Certificate using this batch file:

@echo First create our own authority CA-Certificate and store it locally
makecert -r -pe -n "CN=CetrAuthMe" -len 2048 -sv cakey.pvk cacert.cer
certutil.exe -addstore -f "ROOT" cacert.cer
certutil.exe -encode cacert.cer cacert.pem

@echo Now we can make the self-signed cert:
makecert -pe -n "CN=RabbitMq" -ss MY -len 2048 -sky exchange -iv cakey.pvk -ic cacert.cer -sv key.pvk cert.cer
certutil.exe -encode cert.cer cert.pem
certutil.exe -encode key.pvk key.pem

However when needing to get a certificate from, for example Sectigo or Comodo, It's not really clear how to start (create a CSR?)

Describe the solution you'd like

• Guide on what type of certificate to purchase and how to obtain it (how to create a CSR if needed).
• For each platform (Windows/Linux)
  • Steps to extract the obtained certificate, CA and key to the .pem files required by the configuration.

Describe alternatives you've considered

The other option should also be elaborated on. How is this typically done? I guess the reverse proxy would listen on a (sub)domain, offload the TLS/SSL and forward to RabbitMq on a specific port? Does RabbitMq need to be aware of the subdomain? Must a "virtual host" be configured for it?

Examples for

• ARR
• Nginx
• HAProxy

Additional context

Since RabbitMQ is often used in combination with the Stomp and Mqtt plugins maybe also touch on some other topics that need to be configured on a client-host, for example:

• Cookie settings SameSitePolicy can cause cookies to be sent to RabbitMQ.
• Sending your authentication or session cookies to RabbitMQ can result in "Header too large" issues.

[lukebakken]

Hello, thanks for using RabbitMQ.

In general, Team RabbitMQ uses GitHub discussions first, and then only files issues when there is actionable work.

You have a very wide range of questions and suggestions here. I would like to first point out Team RabbitMQ's official community support policy, which specifically mentions TLS:

https://github.com/rabbitmq/rabbitmq-server/blob/main/COMMUNITY_SUPPORT.md#exceptions-question-that-will-be-ignored

Creating X509 certificates using a certificate authority like Comodo or DigiCert is well out of the range of what we will document or support for free. The internet is full of very complete examples for requesting certificates.

Steps to extract the obtained certificate, CA and key to the .pem files required by the configuration.

Every cert provider is a bit different, so we can't realistically support documenting them all.