After a lot of struggling I finally got rtmps and https
channels working with self signed certificates (using openssl as a
personal certificate authority)
Disclaimer. There may be (probably is) a better easier way to
get this to work. I wish I knew how.
Here is what I did:
1) Setup a certificate authority
First setup a personal certificate authority with openssl
http://www.flatmtn.com/computer/Linux-SSLCertificates.html2) Generate the keys in your keystore
I am using the default keystore for both the tomcat cert and
for the rtmps cert. (In XP the default keystore is here
C:\Documents and Settings\<username>\.keystore and in linux
it’s ~/.keystore)
keytool -genkey -alias tomcat -dname
"CN=localhostOrdomainname, OU=Development, O=ORGNAME, L=CITY,
S=STATE, C=US" -validity 3650
3) Genreate the certificate request
keytool -certreq -alias tomcat -file tomcat.csr
4) Generate the certificates (on your certificate authority
machine)
openssl ca -out tomcat.pem -config ./openssl.cnf -infiles
tomcat.csr
convert to a format the java keysore understands
openssl x509 -in tomcat.pem -out tomcat.crt -outform DER
5) Import your certificate authority certificate (the public
certificate you created when setting up your certificate authority)
a) IE: Double click the cacert.crt file
b) Firefox: Right click on the cacert.crt and choose open
with Firefox
c) default keystore:
keytool -import -alias myPrivateCA -trustcacerts -file
cacert.crt
d) cacerts keysore (for the jdk that tomcat is using)
cd to the folder with the cacerts file in my case
cd C:\Program Files\Java\jdk1.5.0_07\jre\lib\security
keytool -import -trustcacerts -alias myPrivateCA -file
cacert.crt -keystore cacerts
6) Import the actual certificate into the default keystore
keytool -import -alias tomcat -file tomcat.crt
keytool -import -alias flex2cert -file tomcat.crt
8) setup your channels in the services-config.xml file
<channels>
<channel-definition id="secureRTMP"
class="mx.messaging.channels.SecureRTMPChannel">
<endpoint uri="rtmps://localhost:2099"
class="flex.messaging.endpoints.SecureRTMPEndpoint" />
<properties>
<idle-timeout-minutes>20</idle-timeout-minutes>
<keystore-file> C:/Documents and
Settings/<USER>/.keystore</keystore-file>
<keystore-password>changeit</keystore-password>
</properties>
</channel-definition>
<channel-definition id="my-secure-http"
class="mx.messaging.channels.SecureHTTPChannel">
<endpoint
uri="https://{server.name}:8443/Presidio/messagebroker/httpsecur"
class="flex.messaging.endpoints.SecureHTTPEndpoint" />
<properties>
<add-no-cache-headers>false</add-no-cache-headers>
</properties>
</channel-definition>
</channels>
Note: the add-no-cache-headers false resolves an issue with
self-signed certs (
http://tech.groups.yahoo.com/group/flexcoders/message/50035)