1 Reply Latest reply on Feb 12, 2007 4:16 PM by vitopn

    self signed cert for SecureRTMP

    vitopn
      Has anyone used a self signed cert for SecureRTMP? If so, a quick step by step post would really really be appreciated.

      Thank you,
      -Vito
        • 1. Re: self signed cert for SecureRTMP
          vitopn Level 1
          After a lot of struggling I finally got rtmps and https channels working with self signed certificates (using openssl as a personal certificate authority)

          Disclaimer. There may be (probably is) a better easier way to get this to work. I wish I knew how.

          Here is what I did:

          1) Setup a certificate authority

          First setup a personal certificate authority with openssl
          http://www.flatmtn.com/computer/Linux-SSLCertificates.html


          2) Generate the keys in your keystore

          I am using the default keystore for both the tomcat cert and for the rtmps cert. (In XP the default keystore is here C:\Documents and Settings\<username>\.keystore and in linux it’s ~/.keystore)

          keytool -genkey -alias tomcat -dname "CN=localhostOrdomainname, OU=Development, O=ORGNAME, L=CITY, S=STATE, C=US" -validity 3650

          3) Genreate the certificate request
          keytool -certreq -alias tomcat -file tomcat.csr


          4) Generate the certificates (on your certificate authority machine)
          openssl ca -out tomcat.pem -config ./openssl.cnf -infiles tomcat.csr

          convert to a format the java keysore understands

          openssl x509 -in tomcat.pem -out tomcat.crt -outform DER


          5) Import your certificate authority certificate (the public certificate you created when setting up your certificate authority)
          a) IE: Double click the cacert.crt file
          b) Firefox: Right click on the cacert.crt and choose open with Firefox
          c) default keystore:
          keytool -import -alias myPrivateCA -trustcacerts -file cacert.crt

          d) cacerts keysore (for the jdk that tomcat is using)
          cd to the folder with the cacerts file in my case
          cd C:\Program Files\Java\jdk1.5.0_07\jre\lib\security

          keytool -import -trustcacerts -alias myPrivateCA -file cacert.crt -keystore cacerts

          6) Import the actual certificate into the default keystore
          keytool -import -alias tomcat -file tomcat.crt
          keytool -import -alias flex2cert -file tomcat.crt


          8) setup your channels in the services-config.xml file

          <channels>
          <channel-definition id="secureRTMP"
          class="mx.messaging.channels.SecureRTMPChannel">
          <endpoint uri="rtmps://localhost:2099"
          class="flex.messaging.endpoints.SecureRTMPEndpoint" />
          <properties>
          <idle-timeout-minutes>20</idle-timeout-minutes>
          <keystore-file> C:/Documents and Settings/<USER>/.keystore</keystore-file>
          <keystore-password>changeit</keystore-password>
          </properties>
          </channel-definition>

          <channel-definition id="my-secure-http"
          class="mx.messaging.channels.SecureHTTPChannel">
          <endpoint
          uri="https://{server.name}:8443/Presidio/messagebroker/httpsecur"
          class="flex.messaging.endpoints.SecureHTTPEndpoint" />
          <properties>
          <add-no-cache-headers>false</add-no-cache-headers>
          </properties>
          </channel-definition>
          </channels>


          Note: the add-no-cache-headers false resolves an issue with self-signed certs ( http://tech.groups.yahoo.com/group/flexcoders/message/50035)