Apply a Self-Signed HTTPS Certificate to Wowza Streaming Engine for HLS PUSH

EQMaker Broadcast and Media » OTT
이 게시글은 한국어판이 존재합니다.
FakeRoute

HLS PUSH uses the https protocol to transfer data and validate the server using a certificate. This article shows how to create a self-signed certificate via Python and apply it to Wowza Streaming Engine to receive HLS PUSH data on PushCap HLS capture server.

HLS and https certificate

HLS(HTTP Live Streaming)uses the HTTP(HyperText Transfer Protocol) to transfer video files and playlists which describes how to play the video files.

HTTP has been used since the early Internet, but it has security problems because data can be stolen or changed during transmission. To address this issue, the HTTPS was introduced and it became the standard method of data transmission on the Internet in these days. HTTPS validates the target hosts with the certificate and encrypts the data with key to enhance transmission security.

The problem is, this kind of security measure can be very helpful in real service enviroments, but become an obstacle in development environments that has no trusted certificate. So, This requires that generate a certificate and allow streaming softwares like OBS or Wowza Streaming Engine to trust it.

This article explains how to apply a self-signed certificate to streaming software, like Wowza Streaming Engine or OBS, to push HLS streams to a private receiving server such as PushCap.

Generate a certificate using Python

Setting up the Environment for Python

  1. Install Python

    This script is written in Python. Before proceeding, ensure Python is installed on the PC that will act as the server. If needed, consult a guide on how to install Python.

  2. Install required package

    Install cryptography package to execute the script using the following command.

    py -m pip install cryptography
  3. Create script file

    Create GenCert.py file in any directory you want, and copy the following script into the file.

    from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
import datetime

# Enter domain name here. This is the address will use in streaming software.
domain_name = u"b.upload.youtube.com"

# 1. Key generate
key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)

# 2. Key save to key.pem
with open("key.pem", "wb") as f:
    f.write(key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption(),
    ))

# 3. Certificate information
subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"KR"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Gyeonggi-do"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Hanam-si"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"DectENG"),
    x509.NameAttribute(NameOID.COMMON_NAME, domain_name),
])

# 4. Sign and generate certificate
cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    issuer
).public_key(
    key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.now(datetime.timezone.utc)
).not_valid_after(
    datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=365)
).add_extension(
    x509.SubjectAlternativeName([x509.DNSName(domain_name)]),
    critical=False,
).sign(key, hashes.SHA256())

# 5. certificate save to file
with open("cert.pem", "wb") as f:
    f.write(cert.public_bytes(serialization.Encoding.PEM))

print(f"'{domain_name}'  cert.pem / key.pem generated.")
    Replace b.upload.youtube.com to the domain name or IP address you want to use.

Generate a certificate file

  1. Execute the script

    In the console, navigate to the directory where GenCert.py is located and run the script. If the message generated. is displayed as shown below, it means that the encryption key and certificate have been successfully generated.

    Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.
D:\>cd HLSWEB
D:\HLSWEB>py GenCert.py
'b.upload.youtube.com' cert.pem / key.pem generated.
  2. Copy cert.pem and key.pem to to the PushCap.py execution directory.

If you’re using streaming software without an additional validation feature, such as OBS, It’s now possible to start HTTPS HLS PUSH streaming.

Applying a Private Certificate to Wowza Streaming Engine

In the case of commercial streaming software such as Wowza Streaming Engine, there is an additional certificate verification process, which prevents the use of self-signed certificates. Therefore, for Wowza Streaming Engine, it is necessary to go through a following procedure that registers the generated certificate as a trusted certificate.

  • Stop Wowza Streaming Engine service
  • Open terminal : Open a console terminal with administrator privileges.
  • Move to Java tools directory

    Move to the Java tool chain directory that using Wowza Streaming Engine. The default locations will be [Wowza Installation Path]/jre/bin

  • Certificate registration

    Regist the Certificate file to Wowza Streaming Engine with following command.

    keytool -importcert -alias "[name]" -keystore "[keystore path]" -storepass changeit -file "[Certificate file path]"

    [name]
    The user can choose any name for the certificate to save in Wowza Streaming Engine.
    [keystore path]
    The path of JRE certificate storage that using by Wowza Streaming Engine. The default path will be [Wowza Installation Path]\jre\lib\security\cacerts
    [Certificate file path]
    The path and filename of certificate file (.pem) to regist.

    • Applying a Certificate to Wowza Streaming Engine Example

    This is an example of applying a private certificate to Wowza Streaming Engine in a Windows system. The environment is as follows.

    Operating System
    Windows Server 2022
    Wowza Version
    4.8.25+2
    Certificate File Path
    D:\HLSWEB\cert.pem
    1. Open a console window (DOS window) with administrator privileges.
    2. Stop the Wowza Engine Service

      C:\>sc stop WowzaStreamingEngine4825+2

SERVICE_NAME: WowzaStreamingEngine4825+2
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0

    3. Certificate file registration

      C:>Program Files\Wowza Media Systems\Wowza Streaming Engine 4.8.25+2\jre\bin>keytool.exe -importcert -alias "YouTubeLocal" -keystore "C:\Program Files\Wowza Media Systems\Wowza Streaming Engine 4.8.25+2\jre\lib\security\cacerts" -storepass changeit -file "D:\HLSWEB\cert.pem"
Warning: use -cacerts option to access cacerts keystore
Owner: CN=b.upload.youtube.com, O=DectENG, L=Hanam-si, ST=Gyeonggi-do, C=KR
Issuer: CN=b.upload.youtube.com, O=DectENG, L=Hanam-si, ST=Gyeonggi-do, C=KR
Serial number: 389c81b7d9e5452c8cbace6436a99aff004376
Valid from: Mon Aug 25 23:34:59 KST 2025 until: Tue Aug 25 23:34:59 KST 2026
Certificate fingerprints:
         SHA1: AA:BB:CC:DD:EE:FF:AA:BB:CC:DD:EE:FF:65:33:A0:A8:44:55:C0:54
         SHA256: AA:BB:CC:DD:EE:FF:AA:BB:CC:DD:EE:FF:GG:AA:BB:CC:DD:EE:25:9E:AD:00:54:DE:D0:AE:52:97:1C:A1:85:59
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: b.upload.youtube.com
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
    4. Verify Certificate Registration 

      C:\Program Files\Wowza Media Systems\Wowza Streaming Engine 4.8.25+2\jre\bin>keytool -list -cacerts
Enter keystore password:Enter

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 93 entries

... (omitted) ...
youtubelocal, 2025 Aug 26, trustedCertEntry,
Certificate fingerprint (SHA-256): AA:BB:CC:DD:EE:FF:AA:BB:CC:DD:EE:FF:GG:AA:BB:CC:DD:EE:25:9E:AD:00:54:DE:D0:AE:52:97:1C:A1:85:59
... (omitted) ...

      If a certificate with the registered name (in this example, youtubelocal) exists as shown above, it means the registration was successful.

    5. Restart the Wowza Engine Service

      C:\>sc start WowzaStreamingEngine4825+2
SERVICE_NAME: WowzaStreamingEngine4825+2
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 4356
        FLAGS              :

    Concolution

    HLS PUSH receivers like PushCap requires a certificate and key for HTTPS communication. Self-generated private certificate can be used like OBS that do not perform separate validation.

    But some kind of software likes Wowza Streaming Engine, which have internal validation procedures are not accept this kind of certificate until registered as a trusted certificates.

    The writer hopes this article provides a little help to readers who need to solve server problems by validate actual streaming data.