# Enable TLS communication in RabbitMQ

To enable TLS you must manually configure the port used by the TLS listener as well as its certificate and corresponding key.

Do the following:

1. Open the %ALLUSERSPROFILE%\RabbitMQ\advanced.config configuration file;

2. Add the following lines:

[
{rabbit, [
{tcp_listeners, []},
{ssl_listeners, [5671]},
{ssl_options, [{certfile,"C:\\path\\to\\server\\cert.pem"},
{keyfile,"C:\\path\\to\\server\\key.pem"}]}
]}
].


This configuration does the following:

1. Disables all non-TLS listeners (tcp_listeners);

Note: You must also ensure that the RABBITMQ_NODE_PORT environment variable is not set for this configuration to be effective.

2. Creates an TLS listener on port 5671 (ssl_listeners);

3. Configures the certificate and its key to be used by the TLS listener (ssl_options).

To apply these settings, open Configuration Tool and click "Create/Upgrade Service" in the Cache tab.
Alternatively, check Install and configure RabbitMQ using the command-line for more information on how to apply the settings using the command-line.

## Configuring the certificate canonical name

If the canonical name used in the certificate does not match the host name of the machine running the RabbitMQ service, you must manually configure a parameter on the server.hsconf file.

Do the following:

1. In server.hsconf, set the value of the TlsServerCanonicalName parameter in the CacheInvalidationConfiguration section to the certificate canonical name;

2. Open Configuration Tool and click "Apply & Exit" to apply the new setting.