Import an existing SSL certificate and private key for Wowza Streaming Engine

Want To Try Us Out?

Our trial plan is free, with no obligation or credit card required. Start your free trial and you'll be streaming in minutes!

Start your trial!

This article describes how to use an existing Secure Sockets Layer (SSL) certificate with Wowza Streaming Engine™ media server software.


To use an existing SSL certificate you must configure the Wowza Streaming Engine JRE to use the keytool utility, you must have a signed SSL certificate, and you must have an SSL toolkit on the computer you're using to run Wowza Streaming Engine.

Configure the Java JRE to use keytool

The Java keytool utility installs with your Wowza Streaming Engine JRE. It's located at [install-dir]/java/bin. In order to use it, add the bin folder to your PATH environment variable. In a Command Prompt or Terminal window, type export PATH=$PATH:~/[install-dir]/java/bin

To test that keytool is configured properly, enter keytool at a command prompt. The command should return the command reference for the tool.

Get an SSL certificate

If you don't have an SSL certificate, see any of the following articles for instructions on generating one:

Get an SSL/TLS toolkit

You'll also need a an SSL/TLS toolkit. The instructions in this article use the OpenSSL toolkit.

Convert the certificate and private key to PKCS 12

You can't directly import private key information to a keystore (.JKS) using keytool. Instead, you must convert the certificate and private key into a PKCS 12 (.p12) file, and then you can import the PKCS 12 file into your keystore.
  1. In a Command Prompt or Terminal window, change to the directory [install-dir]/conf.
  2. Execute the command:
    openssl pkcs12 -export -in [<em>filename-certificate</em>] -inkey [<em>filename-key</em>] -name [<em>host</em>] -out [<em>filename-new</em>-PKCS-12.p12]

Import the certificate to the keystore

  1. Import the PKCS 12 certificate by executing the following command:
    keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12

    where the [password] is the password you specified when you created the private key.

  2. Execute one of the following commands:
    • If you have a CA bundle file, import it by executing the following command:
      keytool -import -alias bundle -trustcacerts -file [ca_bundle] -keystore [filename-new-keystore.jks]
    • If you don't have a CA bundle file, import certificates by executing the following command for each certificate type:
      keytool -import -alias [certificate-type] -trustcacerts -file [certificate-file] -keystore [filename-new-keystore.jks]

      where [certificate-type] is the type of certificate (for example, root or intermediate).

Configure a host port to use the certificate

Now, configure Wowza Streaming Engine to use the certificate.
  1. Navigate to [install-dir]/conf/ and open VHost.xml file in a text editor.
  2. Uncomment the <HostPort> definition for port 443, which follows the comment <!-- 443 with SSL --> in the file.

    Be sure to remove the comment before <HostPort> and after </HostPort>.

  3. Set the <SSLConfig>/<KeyStorePath> to:
  4. Set the SSLConfig/KeyStorePassword to the keystore password entered above.
  5. Restart Wowza Streaming Engine.

Test the certificate in Wowza Streaming Engine

Finally, test that the SSL certificate is working properly with Wowza Streaming Engine by mapping the IP address of your local Wowza Streaming Engine server to the domain of the certificate. This requires editing the hosts file on the computer running Wowza Streaming Engine.

In most versions of Windows, the hosts file is located in c:\Windows\System32\Drivers\etc and you can edit it using Notepad, as long as you run as an administrator.

On macOS, use Terminal to open the hosts file by typing sudo nan /private/etc/hosts

Important: Be careful when editing the hosts file. Mistakes can lead to a variety of problems, such as inaccessible network locations, network failures, or blocked websites.

  1. Edit the hosts file so that the domain name for the certificate points to the localhost IP address. For example, assuming the localhost IP address is, add the following lines to the file:
    #testing ssl
    # END ssl test
  2. Check the [install-dir]/logs/wowzastreamingengine_access.log for the following statements, which indicate that it successfully bonded to port 443:
    SSL ([any]:443): keyStorePath:/Library/WowzaStreamingEngine/conf/
    Bind successful ([any]:443)
  3. After completing the test, remove the testing code from hosts.

More resources