Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events

self signed cert for SecureRTMP


Level 2
Has anyone used a self signed cert for SecureRTMP? If so, a
quick step by step post would really really be appreciated.

Thank you,


1 Reply


Level 2
After a lot of struggling I finally got rtmps and https
channels working with self signed certificates (using openssl as a
personal certificate authority)

Disclaimer. There may be (probably is) a better easier way to
get this to work. I wish I knew how.

Here is what I did:

1) Setup a certificate authority

First setup a personal certificate authority with openssl


2) Generate the keys in your keystore

I am using the default keystore for both the tomcat cert and
for the rtmps cert. (In XP the default keystore is here
C:\Documents and Settings\<username>\.keystore and in linux
it’s ~/.keystore)

keytool -genkey -alias tomcat -dname
"CN=localhostOrdomainname, OU=Development, O=ORGNAME, L=CITY,
S=STATE, C=US" -validity 3650

3) Genreate the certificate request

keytool -certreq -alias tomcat -file tomcat.csr

4) Generate the certificates (on your certificate authority

openssl ca -out tomcat.pem -config ./openssl.cnf -infiles

convert to a format the java keysore understands

openssl x509 -in tomcat.pem -out tomcat.crt -outform DER

5) Import your certificate authority certificate (the public
certificate you created when setting up your certificate authority)

a) IE: Double click the cacert.crt file

b) Firefox: Right click on the cacert.crt and choose open
with Firefox

c) default keystore:

keytool -import -alias myPrivateCA -trustcacerts -file

d) cacerts keysore (for the jdk that tomcat is using)

cd to the folder with the cacerts file in my case

cd C:\Program Files\Java\jdk1.5.0_07\jre\lib\security

keytool -import -trustcacerts -alias myPrivateCA -file
cacert.crt -keystore cacerts

6) Import the actual certificate into the default keystore

keytool -import -alias tomcat -file tomcat.crt

keytool -import -alias flex2cert -file tomcat.crt

8) setup your channels in the services-config.xml file


<channel-definition id="secureRTMP"


<endpoint uri="rtmps://localhost:2099"

class="flex.messaging.endpoints.SecureRTMPEndpoint" />



<keystore-file> C:/Documents and




<channel-definition id="my-secure-http"




class="flex.messaging.endpoints.SecureHTTPEndpoint" />






Note: the add-no-cache-headers false resolves an issue with
self-signed certs (