The Mozilla NSS libraries are unfamiliar to myself and I had a little trouble working out how to import a StartSSL key/certificate stored in PEM files into the format required by qpidd.
The Apache Qpid - Securing Connections with SSL blog post gives a good overview of how to create self-signed certificates with certutil and how to configure qpidd to use them.
Below are the steps that I used to populate the server_db store with my key, certificate and the StartSSL root/intermediate certificates.
-
First step. Export our existing certificates in .p12 format.
cp myserver.crt myserverwithkey.pem cat myserver.key >> myserverwithkey.pem openssl pkcs12 -export \ -in myserverwithkey.pem \ -out myserver.p12 \ -name myserver \ -certfile sub.class2.server.ca.pem -
Now create a qpid server_db certificate store and import into it
echo "apassword" > /etc/qpid/qpid-ssl.pwd mkdir /etc/qpid/server_db certutil -N -d /etc/qpid/server_db -f /etc/qpid/qpid-ssl.pwd certutil -A -d /etc/qpid/server_db -f /etc/qpid/qpid-ssl.pwd \ -n "StartSSLCA" \ -t "TC,," \ -a -i /etc/ssl/certs/StartCom_Certification_Authority.pem pk12util -i myserver.p12 \ -d /etc/qpid/server_db \ -k /etc/qpid/qpid-ssl.pwd -
Check that is is all there with
certutil -L -d /etc/qpid/server_db/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI myserver u,u,u StartCom Class 2 Primary Intermediate Server CA - StartCom Ltd. ,, StartSSLCA CT,, -
If using the Debian/Ubuntu qpidd packages you enable this in /etc/qpid/qpidd.conf
# SSL Settings #ssl-use-export-policy ssl-cert-password-file=/etc/qpid/qpid-ssl.pwd ssl-cert-db=/etc/qpid/server_db ssl-cert-name=royalmail.oldelvet.org.uk ssl-port=5672