Secure Communications
How to for RTMPS
1. Create your key
keytool -keysize 2048 -genkey -alias red5 -keyalg RSA -keystore keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: ssl.red5.org
What is the name of your organizational unit?
[Unknown]: Dev
What is the name of your organization?
[Unknown]: Red5
What is the name of your City or Locality?
[Unknown]: Henderson
What is the name of your State or Province?
[Unknown]: Nevada
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=ssl.red5.org, OU=Dev, O=Red5, L=Henderson, ST=Nevada, C=US correct?
[no]: yes
Enter key password for <red5>
(RETURN if same as keystore password):
2. Create a CSR
keytool -certreq -keyalg RSA -alias red5 -file red5.csr -keystore keystore Enter keystore password:
3. Submit your CSR to your SSL certificate provider. Godaddy process is described below.
4. After your receive your certificate, import the root cert into your keystore file
keytool -import -alias root -keystore keystore -trustcacerts -file valicert_class2_root.crt Enter keystore password: Certificate already exists in system-wide CA keystore under alias <valicertclass2ca> Do you still want to add it to your own keystore? [no]: yes Certificate was added to keystore
5. Import the cross certificates
keytool -import -alias cross -keystore keystore -trustcacerts -file gd_cross_intermediate.crt Enter keystore password: Certificate was added to keystore
6. Import the intermediate certificates
keytool -import -alias intermed -keystore keystore -trustcacerts -file gd_intermediate.crt Enter keystore password: Certificate was added to keystore
7. Import your certificate
keytool -import -alias red5 -keystore keystore -trustcacerts -file ssl.red5.org.crt Enter keystore password: Certificate reply was installed in keystore
8. Setup RTMPS in your red5/conf/red5-core.xml
Import PKCS12 into Keystore
Importing private keys into a Java keystore using keytool
For ages the keytool application shipped as part of Java could provide all the functionality to generate a private key and certificate sign request from a Java keystore, but the most basic function, importing a preexisting private key and certificate generated externally, remained overlooked.
This is fixed in Java 6, at long last.
The solution is to convert your existing certificate and key into a PKCS12 file, and then use the keytool functionality to merge one keystore with another one. Java 6 can treat a PKCS12 file as a keystore, so putting this together, you get this:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore my-keystore.jks -srckeystore cert-and-key.p12 -srcstoretype PKCS12 -srcstorepass cert-and-key-password -alias 1
The alias of 1 is required to choose the certificate in the source PKCS12 file, keytool isn't clever enough to figure out which certificate you want in a store containing one certificate.
Debugging Java Network
Add java options to your startup: -Djavax.net.debug=ssl,handshake,data
Options:
all turn on all debugging
ssl turn on ssl debugging
The following can be used with ssl:
record enable per-record tracing
handshake print each handshake message
keygen print key generation data
session print session activity
defaultctx print default SSL initialization
sslctx print SSLContext tracing
sessioncache print session cache tracing
keymanager print key manager tracing
trustmanager print trust manager tracing
handshake debugging can be widened with:
data hex dump of each handshake message
verbose verbose handshake message printing
record debugging can be widened with:
plaintext hex dump of record plaintext
Helpful Links
JSSE Guide
Tomcat SSL
Keytool to OpenSSL
Dealing with Java Keystores