ActiveMQ disable Diffie-Hellman ciphers to avoid “KeyUsage does not allow digital signatures” errors

Here’s how to do it:

transport.enabledCipherSuites=SSL_RSA_WITH_3DES_EDE_CBC_SHA

Add this parameter to URI in mqtt transportConnector (in your conf/activemq.xml config).

The need for this? I had a set of keys+certificates that were working perfectly fine on RabbitMQ, but on ActiveMQ I was getting “KeyUsage does not allow digital signatures” errors on client when it was validating server’s certificate.

I had no idea why this happened, googling revealed some fragmented info, in general I understood that my server’s certificate had “extension” “key usage” that indicated it didn’t allow (support?) digital signatures.

Screen Shot 2016-05-31 at 11.50.27 PM

Continue reading

Advertisements