Skip to content

tls

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

tls

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README
README
 
 
ca.pem
ca.pem
 
 
crl.pem
crl.pem
 
 
dispatcher.crt
dispatcher.crt
 
 
dispatcher.key
dispatcher.key
 
 
relay.crt
relay.crt
 
 
relay.key
relay.key
 
 

README

Certificates used by the mediaproxy components:

ca.pem         - Certificate authority
crl.pem        - Certificate revocation list
dispatcher.crt - Media dispatcher certificate
dispatcher.key - Media dispatcher private key
relay.crt      - Media relay certificate
relay.key      - Media relay private key


IMPORTANT NOTE:

The certificates that come with mediaproxy are provided as samples, which are
only meant to be used for testing/evaluation purposes or to serve as examples
for what the certificates need to contain.

Do _NOT_ use them in a production environment, as anyone who has downloaded
mediaproxy will be able to connect to your servers using them.

The included certificates can either be found in the source tree in the tls
subdirectory or in /usr/share/doc/mediaproxy-common/tls (on a Debian/Ubuntu
system; on other Linux distributions the path might be different).

To generate your own certificates, we recommend you use tinyca available at
https://opsec.eu/src/tinyca/ or directly available as a Debian package.

Using tinyca, you should first generate a certificate authority. Next you
should go to the Preferences menu and edit the OpenSSL configuration. There
in the "Server Certificate Settings" change "Netscape Certificate Type" to
"SSL Server, SSL Client" and press OK.

Next go to the Certificates tab and then press the New button on the toolbar.
Choose "Create Key and Certificate (Server)" to generate the certificate and
private key for the MediaProxy dispatcher. Repeat the same to generate the
certificate and private key for the MediaProxy relay.

Next export your dispatcher certificate in PEM format to dispatcher.crt (do
not include the private key in it), and the dispatcher private key in PEM
format to dispatcher.key (also do not include the certificate with it and
select to save it without a passphrase). Repeat the same for the relay,
but this time name the file relay.crt and relay.key.
You also need to export the certificate authority in PEM format to ca.pem as
well as the CRL list into crl.pem.

Then you can use all the exported certificates and private keys by placing
them in /etc/mediaproxy/tls/ (or /path-to-mediaproxy/tls for a stand alone
installation). Additionally you can configure passport entries for the
dispatcher and the relay in config.ini to perform extra checks on the
certificates (like for example checking the subject organization or the
common name) to take advantage of improved security.

The CA, CRL, certificates and private keys must be named like below (names
are not configurable, only the path where they reside can be configured):

ca.pem, crl.pem, dispatcher.crt, dispatcher.key, relay.crt, relay.key

The names are self explanatory.