LibraryLink ToToggle FramesPrintFeedback

How to Use X.509 Certificates

Before you can understand how to deploy X.509 certificates in a real system, you need to know about the different authentication scenarios supported by the SSL/TLS protocol. The way you deploy the certificates depends on what kind of authentication scenario you decide to adopt for your application.

In the target-only authentication scenario, as shown in Figure 1.1, the target (in this case, the broker) presents its own certificate to the client during the SSL/TLS handshake, so that the client can verify the target's identity. In this scenario, therefore, the target is authentic to the client, but the client is not authentic to the target.


The broker is configured to have its own certificate and private key, which are both stored in the file, broker.ks. The client is configured to have a trust store, client.ts, that contains the certificate that originally signed the broker certificate. Normally, the trusted certificate is a Certificate Authority (CA) certificate.

In the mutual authentication scenario, as shown in Figure 1.2, the target presents its own certificate to the client and the client presents its own certificate to the target during the SSL/TLS handshake, so that both the client and the target can verify each other's identity. In this scenario, therefore, the target is authentic to the client and the client is authentic to the target.


Because authentication is mutual in this scenario, both the client and the target must be equipped with a full set of certificates. The client is configured to have its own certificate and private key in the file, client.ks, and a trust store, client.ts, which contains the certificate that signed the target certificate. The target is configured to have its own certificate and private key in the file, broker.ks, and a trust store, broker.ts, which contains the certificate that signed the client certificate.

Various combinations of target and client authentication are theoretically supported by the SSL/TLS protocols. In general, SSL/TLS authentication scenarios are controlled by selecting a specific cipher suite (or cipher suites) and by setting flags in the SSL/TLS protocol layer (that is, the WantClientAuth or NeedClientAuth flags). The following list describes all of the possible authentication scenarios (some of which are not supported by FUSE Message Broker):

FUSE Message Broker provides a collection of demonstration certificates, located in the $ACTIVEMQ_HOME/conf directory, that enable you to get started quickly and run some examples using the secure transport protocols. The following keystore files are provided (where, by convention, the .ks suffix denotes a keystore file with key entries and the .ts suffix denotes a keystore file with trusted certificate entries):

[Warning]Warning

Do not deploy the demonstration certificates in a live production system! These certificate are provided for demonstration and testing purposes only. For a real system, create your own custom certificates.

For a real deployment of a secure SSL/TLS application, you must first create a collection of custom X.509 certificates and private keys. For detailed instructions on how to go about creating and managing your X.509 certificates, see .Managing Certificates