Create a self-signed SSL certificate for Wowza Streaming Engine

This article describes how to create a self-signed SSL certificate using the keytool application that comes with the Java JRE that installs with Wowza Streaming Engine™ media server software.

Before starting, make sure that the bin folder of your JRE installation is added to your PATH environment variable. If the PATH variable is configured correctly, you should be able to open a command prompt and execute the command keytool. This will return the command reference for the keytool command. Then, create the self-signed SSL certificate and configure a TCP port to use it.

Note: Self-signed certificates are considered untrustworthy by most browsers. We recommend using a signed certificate from Wowza or another trusted certificate authority.

Create the self-signed SSL certificate


  1. Open a command prompt and change the directory to [install-dir]/conf.
     
  2. Execute the following command: keytool -genkey -alias wowza -keyalg
    keytool -genkey -keysize 2048 -alias wowza -keyalg RSA -keystore ssl.mycompany.com.jks
  3. You'll be prompted to answer several questions. The following sample responses assume that the certificate is tied to the domain name ssl.mycompany.com:
    [Enter keystore password]
    password
    [What is your first and last name]
    ssl.mycompany.com
    [What is the name of your organizational unit]
    Web Department
    [What is the name of your organization]
    My Company Name
    [What is the name of your City or Locality]
    Golden
    [What is the name of your State or Province]
    Colorado
    [What is the two-letter country code for this unit]
    US
    [Enter key password for <password>]
    password

You'll see a certificate file named ssl.mycompany.com.jks in the [install-dir]/conf folder.

Configure a TCP port to use the certificate


To configure a TCP port to use this certificate, open the [install-dir]/conf/VHost.xml file in a text editor and make the following changes:

  1. Uncomment the <HostPort> definition for port 443. This entry follows the comment <!-- 443 with SSL -->. Be sure to remove both parts of the comment container (before <HostPort> and after </HostPort>, see example below).
    <!-- 443 with SSL -->
    <!--
    <HostPort>
        <Name>Default SSL Streaming</Name>
        <Type>Streaming</Type>
        <ProcessorCount>${com.wowza.wms.TuningAuto}</ProcessorCount>
        <IpAddress>*</IpAddress>
        <Port>443</Port>
        <HTTPIdent2Response></HTTPIdent2Response>
        <SSLConfig>
            <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
            <KeyStorePassword>[password]</KeyStorePassword>
            <KeyStoreType>JKS</KeyStoreType>
            <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
            <SSLProtocol>TLS</SSLProtocol>
            <Algorithm>SunX509</Algorithm>
            <CipherSuites></CipherSuites>
            <Protocols></Protocols>
        </SSLConfig>
        <SocketConfiguration>
            <ReuseAddress>true</ReuseAddress>
            <ReceiveBufferSize>65000</ReceiveBufferSize>
            <ReadBufferSize>65000</ReadBufferSize>
            <SendBufferSize>65000</SendBufferSize>
            <KeepAlive>true</KeepAlive>
            <AcceptorBackLog>100</AcceptorBackLog>
        </SocketConfiguration>
        <HTTPStreamerAdapterIDs>cupertinostreaming,dvrchunkstreaming,mpegdashstreaming</HTTPStreamerAdapterIDs>
        <HTTPProviders>
            <HTTPProvider>
                <BaseClass>com.wowza.wms.http.HTTPCrossdomain</BaseClass>
                <RequestFilters>*crossdomain.xml</RequestFilters>
                <AuthenticationMethod>none</AuthenticationMethod>
            </HTTPProvider>
            <HTTPProvider>
                <BaseClass>com.wowza.wms.http.HTTPClientAccessPolicy</BaseClass>
                <RequestFilters>*clientaccesspolicy.xml</RequestFilters>
                <AuthenticationMethod>none</AuthenticationMethod>
            </HTTPProvider>
            <HTTPProvider>
                <BaseClass>com.wowza.wms.http.HTTPProviderMediaList</BaseClass>
                <RequestFilters>*jwplayer.rss|*jwplayer.smil|*medialist.smil</RequestFilters>
                <AuthenticationMethod>none</AuthenticationMethod>
            </HTTPProvider>
            <HTTPProvider>
                <BaseClass>com.wowza.wms.http.HTTPServerVersion</BaseClass>
                <RequestFilters>*ServerVersion</RequestFilters>
                <AuthenticationMethod>none</AuthenticationMethod>
            </HTTPProvider>
        </HTTPProviders>
    </HostPort>
    -->
    <!-- Admin HostPort -->
    <HostPort>
        <Name>Default Admin</Name>
  2. Set the <SSLConfig>/<KeyStorePath> value to:
    ${com.wowza.wms.context.VHostConfigHome}/conf/ssl.mycompany.com.jks
  3. Set the <SSLConfig>/<KeyStorePassword> value (see above) to the key password.

TCP port 443 is now protected by SSL and RTMPS. You must configure a domain name entry for the domain chosen above and all communications that use port 443 must use either SSL or RTMPS and the domain name specified in the certificate.

More resources