1 Reply Latest reply on Feb 12, 2007 4:16 PM by vitopn

    self signed cert for SecureRTMP

    vitopn Level 1
      Has anyone used a self signed cert for SecureRTMP? If so, a quick step by step post would really really be appreciated.

      Thank you,
        • 1. Re: self signed cert for SecureRTMP
          vitopn Level 1
          After a lot of struggling I finally got rtmps and https channels working with self signed certificates (using openssl as a personal certificate authority)

          Disclaimer. There may be (probably is) a better easier way to get this to work. I wish I knew how.

          Here is what I did:

          1) Setup a certificate authority

          First setup a personal certificate authority with openssl

          2) Generate the keys in your keystore

          I am using the default keystore for both the tomcat cert and for the rtmps cert. (In XP the default keystore is here C:\Documents and Settings\<username>\.keystore and in linux it’s ~/.keystore)

          keytool -genkey -alias tomcat -dname "CN=localhostOrdomainname, OU=Development, O=ORGNAME, L=CITY, S=STATE, C=US" -validity 3650

          3) Genreate the certificate request
          keytool -certreq -alias tomcat -file tomcat.csr

          4) Generate the certificates (on your certificate authority machine)
          openssl ca -out tomcat.pem -config ./openssl.cnf -infiles tomcat.csr

          convert to a format the java keysore understands

          openssl x509 -in tomcat.pem -out tomcat.crt -outform DER

          5) Import your certificate authority certificate (the public certificate you created when setting up your certificate authority)
          a) IE: Double click the cacert.crt file
          b) Firefox: Right click on the cacert.crt and choose open with Firefox
          c) default keystore:
          keytool -import -alias myPrivateCA -trustcacerts -file cacert.crt

          d) cacerts keysore (for the jdk that tomcat is using)
          cd to the folder with the cacerts file in my case
          cd C:\Program Files\Java\jdk1.5.0_07\jre\lib\security

          keytool -import -trustcacerts -alias myPrivateCA -file cacert.crt -keystore cacerts

          6) Import the actual certificate into the default keystore
          keytool -import -alias tomcat -file tomcat.crt
          keytool -import -alias flex2cert -file tomcat.crt

          8) setup your channels in the services-config.xml file

          <channel-definition id="secureRTMP"
          <endpoint uri="rtmps://localhost:2099"
          class="flex.messaging.endpoints.SecureRTMPEndpoint" />
          <keystore-file> C:/Documents and Settings/<USER>/.keystore</keystore-file>

          <channel-definition id="my-secure-http"
          class="flex.messaging.endpoints.SecureHTTPEndpoint" />

          Note: the add-no-cache-headers false resolves an issue with self-signed certs ( http://tech.groups.yahoo.com/group/flexcoders/message/50035)