Create a self-signed SSL certificate for Wowza Streaming Engine

This article describes how to create a self-signed SSL certificate using the keytool application that comes with the Java JRE that installs with Wowza Streaming Engine™ media server software.

Before starting, make sure that the bin folder of your JRE installation is added to your PATH environment variable. If the PATH variable is configured correctly, you should be able to open a command prompt and execute the command keytool. This will return the command reference for the keytool command. Then, create the self-signed SSL certificate and configure a TCP port to use it.

Create the self-signed SSL certificate

  1. Open a command prompt and change the directory to [install-dir]/conf.
  2. Execute the following command: keytool -genkey -alias wowza -keyalg
    keytool -genkey -keysize 2048 -alias wowza -keyalg RSA -keystore
  3. You'll be prompted to answer several questions. The following sample responses assume that the certificate is tied to the domain name
    [Enter keystore password]
    [What is your first and last name]
    [What is the name of your organizational unit]
    Web Department
    [What is the name of your organization]
    My Company Name
    [What is the name of your City or Locality]
    [What is the name of your State or Province]
    [What is the two-letter country code for this unit]
    [Enter key password for <password>]

You'll see a certificate file named in the [install-dir]/conf folder.

Configure a TCP port to use the certificate

To configure a TCP port to use this certificate, open the [install-dir]/conf/VHost.xml file in a text editor and make the following changes:

  1. Uncomment the <HostPort> definition for port 443. This entry follows the comment <!-- 443 with SSL -->. Be sure to remove both parts of the comment container (before <HostPort> and after </HostPort>, see example below).
    <!-- 443 with SSL -->
        <Name>Default SSL Streaming</Name>
    <!-- Admin HostPort -->
        <Name>Default Admin</Name>
  2. Set the <SSLConfig>/<KeyStorePath> value to:
  3. Set the <SSLConfig>/<KeyStorePassword> value (see above) to the key password.

TCP port 443 is now protected by SSL and RTMPS. You must configure a domain name entry for the domain chosen above and all communications that use port 443 must use either SSL or RTMPS and the domain name specified in the certificate.

The above steps must be followed on any computer that uses RTMPS to play a stream that's protected with a self-signed certificate. It's better to get a signed certificate from Wowza or from another trusted certificate authority. With a trusted certificate, the above steps aren't required. For more information about how to get a signed certificate from a certificate authority, see Request an SSL certificate for Wowza Streaming Engine from a certificate authority.


  • Self-signed certificates don't work on maOS when using Adobe Flash Player to stream over RTMPS without first installing the certificate in the Keychain and setting its trust level to Always Trust. To extract the certificate and install in the macOS Keychain, do the following:
    1. Extract the certificate from the keystore using the following command, and then copy the file to the Mac:

      keytool -export -alias wowza -file -keystore
    2. Open the Keychain Access utility (Applications > Utilities > Keychain Access).
    3. Under Keychains, select a keychain, and then under Category, select the Certificates category.
    4. Drag-and-drop the onto the Keychain Access utility.
    5. Right-click in the list, and then select Get Info.
    6. In the dialog box that displays the certificate information, in the Trust area, set the When using this certificate option to Always Trust
  • There are two RTMPS streaming methods when using the Adobe Flash player. The default method leverages tunneling (RTMPT over SSL), which can be slow and cause additional server load. The second method is RTMP over SSL, which performs better. You can enable this mode by setting the NetConnection.proxyType to "best" before calling NetConnection.connect. For example:

    var nc:NetConnection = new NetConnection();
    nc.proxyType = "best";

More resources