Skip to main content
SSL is required for WebRTC. Browsers will not grant camera or microphone access to a page served over plain HTTP, and WebSocket connections used by WebRTC must be encrypted. This guide walks you through obtaining a certificate, converting it to a Java keystore, and configuring Red5 Pro to use it.

Prerequisites

  • A DNS-resolvable domain name pointing to your server’s public IP address. Let’s Encrypt will not issue a certificate for a raw IP address.
  • Port 80 open on your firewall during Let’s Encrypt validation (you can close it again afterward).
  • Port 443 open for HTTPS and secure WebSocket traffic.
  • OpenSSL and the Java keytool utility available on your server.
  • Red5 Pro installed and stopped before you begin certificate conversion steps.
The domain name must resolve correctly in DNS before you run certbot. If your DNS record has not propagated yet, certificate issuance will fail.

Step 1: Obtain a certificate

Let’s Encrypt provides free, automatically renewable certificates trusted by all major browsers. Certificates expire after 90 days and must be renewed.

Install certbot

sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Issue the certificate

Stop Red5 Pro if it is running (certbot needs port 80), then run:
sudo certbot certonly --standalone \
  --email yourname@example.com \
  --agree-tos \
  -d ssl.example.com
Replace yourname@example.com with your email address and ssl.example.com with your fully qualified domain name. You can add multiple domains with additional -d flags.If successful, certbot prints the certificate paths:
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ssl.example.com/fullchain.pem.
   Your cert will expire on YYYY-MM-DD.
Let’s Encrypt certificates expire after 90 days. To renew, re-run the certbot certonly command above, then re-create the keystore and truststore files and restart Red5 Pro.

Wildcard certificates

If you need a single certificate to cover multiple subdomains (for example, nodes in an autoscaling cluster), use a DNS-challenge wildcard certificate instead:
certbot certonly --manual \
  --preferred-challenges=dns \
  --email yourname@example.com \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos \
  -d *.example.com
Certbot will pause and ask you to create a TXT DNS record:
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

qChEJ8PrVvhUEouNd3sypGuDYdMa63Dw8jy2cxJyKCs

Before continuing, verify the record is deployed.
Create the TXT record in your DNS provider’s control panel. Wait for it to propagate (check with a DNS lookup tool), then press Enter to complete verification.

Step 2: Create the Java keystore (Let’s Encrypt only)

If you used Let’s Encrypt, your certificate is in PEM format. You need to convert it to a Java KeyStore (JKS) before Red5 Pro’s embedded Tomcat can use it.
1

Export to PKCS12

sudo openssl pkcs12 -export \
  -in /etc/letsencrypt/live/ssl.example.com/fullchain.pem \
  -inkey /etc/letsencrypt/live/ssl.example.com/privkey.pem \
  -out /etc/letsencrypt/live/ssl.example.com/fullchain_and_key.p12 \
  -name tomcat
Enter a password when prompted and note it — you will need it in the next command.
The alias must be tomcat. Red5 Pro’s embedded Tomcat looks for this exact alias name in the keystore.
2

Import into a JKS keystore

sudo keytool -importkeystore \
  -deststorepass changeit \
  -destkeypass changeit \
  -destkeystore /etc/letsencrypt/live/ssl.example.com/keystore.jks \
  -srckeystore /etc/letsencrypt/live/ssl.example.com/fullchain_and_key.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass changeit \
  -alias tomcat

Step 3: Configure Red5 Pro

Open conf/red5.properties in your Red5 Pro installation directory and update the following properties:

Set the HTTPS port

http.port=5080
https.port=443
Using port 443 means clients do not need to specify a non-standard port when making HTTPS connections.

Point to your keystore and truststore

rtmps.keystorepass=changeit
rtmps.keystorefile=/etc/letsencrypt/live/ssl.example.com/keystore.jks
rtmps.truststorepass=changeit
rtmps.truststorefile=/etc/letsencrypt/live/ssl.example.com/truststore.jks
Replace changeit with the password you used when creating the keystore, and update the file paths to match where you stored your .jks files.
On Windows, use forward slashes in the path, for example: rtmps.keystorefile=C:/letsencrypt/live/ssl.example.com/keystore.jks

Enable SSL (Red5 Pro 14.0.0 and later)

Add or uncomment these two lines in conf/red5.properties: 
secure.enabled=true
websocket.enabled=true
Versions before 14.0.0 require you to modify conf/jee-container.xml in addition to red5.properties:
  1. Comment out the <!-- Non-secured transports for HTTP and WS --> section.
  2. Uncomment the <!-- Secure transports for HTTPS and WSS --> section.
  3. Save the file and restart Red5 Pro.

Step 4: Restart and verify

sudo systemctl restart red5pro
Then open a browser and navigate to https://your-domain.com. You should see the Red5 Pro landing page served over HTTPS with a valid certificate indicator in the browser address bar.
After confirming SSL works, you can close port 80 on your firewall. Leave port 443 open for all HTTPS and WebSocket traffic.

RTMPS (optional)

RTMPS is not required for WebRTC but is available if you need encrypted RTMP connections. To enable it, open conf/red5-core.xml and uncomment the rtmpsMinaIoHandler and rtmpsTransport bean definitions. RTMPS runs on port 8443 by default; the keystore settings in red5.properties under the # RTMPS section apply here as well.