How to create a self-signed SSL certificate

This article describes how to create a self-signed SSL certificate using the keytool application that comes with the Java JRE that installs with Wowza Streaming Engine™ media server software.

Make sure that the bin folder of your JRE installation is added to your PATH environment variable. If the PATH variable is configured correctly, you should be able to open a command prompt and execute the command keytool. This will return the command reference for the keytool command. After you have the keytool command up-and-running, do the following to create a self-signed SSL certificate:

  1. Open a command prompt and change the directory to [install-dir]/conf.
  2. Execute the following command: keytool -genkey -alias wowza -keyalg
    keytool -genkey -keysize 2048 -alias wowza -keyalg RSA -keystore
  3. You'll be prompted to answer several questions. The following sample responses assume that the certificate is tied to the domain name
    [Enter keystore password]
    [What is your first and last name]
    [What is the name of your organizational unit]
    Web Department
    [What is the name of your organization]
    My Company Name
    [What is the name of your City or Locality]
    [What is the name of your State or Province]
    [What is the two-letter country code for this unit]
    [Enter key password for <password>]
You'll see a certificate file named in the [install-dir]/conf folder. To configure a TCP port to use this certificate, open the [install-dir]/conf/VHost.xml file in a text editor and make the following changes:
  1. Uncomment the <HostPort> definition for port 443. This entry follows the comment <!-- 443 with SSL -->. Be sure to remove both parts of the comment container (before <HostPort> and after </HostPort>, see example below).
    <!-- 443 with SSL -->
    	<Name>Default SSL Streaming</Name>
    <!-- Admin HostPort -->
    <Name>Default Admin</Name>
  2. Set the <SSLConfig>/<KeyStorePath> value (see above) to:
  3. Set the <SSLConfig>/<KeyStorePassword> value (see above) to the key password.
TCP port 443 is now protected by SSL and RTMPS. You must configure a domain name entry for the domain chosen above and all communications that use port 443 must use either SSL or RTMPS and the domain name specified in the certificate.

The above steps must be followed on any computer that uses RTMPS to play a stream that's protected with a self-signed certificate. It's better to get a signed certificate from Wowza or from another trusted certificate authority. With a trusted certificate, the above steps aren't required. For more information about how to get a signed certificate from a certificate authority, see How to request an SSL certificate from a certificate authority.


  • Self-signed certificates don't work on OS X when using Adobe Flash Player to stream over RTMPS without first installing the certificate in the Keychain and setting its trust level to Always Trust. To extract the certificate and install in the OS X Keychain, do the following:
    1. Extract the certificate from the keystore using the following command, and then copy the file to the Mac:
      keytool -export -alias wowza -file -keystore
    2. Open the Keychain Access utility (Applications > Utilities > Keychain Access).
    3. Under Keychains, select a keychain, and then under Category, select the Certificates category.
    4. Drag-and-drop the onto the Keychain Access utility.
    5. Right-click in the list, and then select Get Info.
    6. In the dialog box that displays the certificate information, in the Trust area, set the When using this certificate option to Always Trust
  • There are two RTMPS streaming methods when using the Adobe Flash player. The default method leverages tunneling (RTMPT over SSL), which can be slow and cause additional server load. The second method is RTMP over SSL, which performs better. You can enable this mode by setting the NetConnection.proxyType to "best" before calling NetConnection.connect. For example:
    var nc:NetConnection = new NetConnection();
    nc.proxyType = "best";
  • For troubleshooting information about SSL certificates and the configuration of Wowza media servers to use SSL certificates, see How to troubleshoot SSL certificate configuration.

If you're having problems or want to discuss this article, post in our forum.