diff --git a/terraform/vault/default.nix b/terraform/vault/default.nix
index e4d265b..3bae0c1 100644
--- a/terraform/vault/default.nix
+++ b/terraform/vault/default.nix
@@ -63,7 +63,9 @@
             ci = {
               # This allows the CI to issue certificates for CI purposes.
               # It should be a relative path.
-              "pki/issue/ci".capabilities = [ "read" "create" "update" ];
+              "issue/ci".capabilities = [ "read" "create" "update" ];
+              # CI is allowed to be a RabbitMQ server.
+              "issue/rabbitmq-server".capabilities = [ "read" "create" "update" ];
             };
           };
 
@@ -77,6 +79,16 @@
               allow_wildcard_certificates = false;
               ou = [ "Floral Systems Continuous Integration Systems" ];
             };
+
+            rabbitmq-server = {
+              ttl = "7d";
+              max_ttl = "45d";
+              allowed_domains = [ "amqp.forkos.org" ];
+              allow_subdomains = false;
+              allow_glob_domains = false;
+              allow_wildcard_certificates = false;
+              ou = [ "Floral Systems AMQP Systems" ];
+            };
           };
 
           # It's possible to continue the chain but we don't need that here.