In MRG-M, can EXTERNAL client authentication be used with self-signed client certificates?

Solution Verified - Updated -


The Red Hat MRG broker supports the EXTERNAL client authentication mechanism, where the SSL certificate should be used for client authentication. The username is in such case taken from the certificate subject. The certificates used for the authentication are stored using Certificate Database tool (certutil). This database contains the server private key (which seems to be working fine) as well as the certificates / public keys necessary to authenticate the clients.

The certificates used for client authentication can be loaded into the database with different trust flags (valid peer, trusted peer, trusted CA etc.). However, it seems that only the certificates with flag T (trusted CA) can be used for authentication in Red Hat MRG. If the certificates is stored as peer, it seems to be ignored by the broker:

2011-03-27 17:14:16 error Error reading socket: Unable to find the certificate or key necessary for authentication. [-12285]

Unfortunately, the flag "T" means that such certificate is trusted Certification Authority and as such, it can sign other certificates with different usernames in subject. These are then successfully authenticated and logged into Red Hat MRG. Therefore, it does not really secure the access to the broker.

How is the EXTERNAL authentication supposed to work in this scenario?


  • Red Hat Enterprise MRG Messaging (MRG-M) 1.3 and 2.0
  • EXTERNAL (certificate-based) client authentication for SSL connections
  • Mozilla's NSS (Network Security Services) cryptography libraries
  • client certificates are not signed by a certificate authority (CA)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In