WebRTC/RTP Server: Helpers

Revision as of 17:28, 28 December 2025

This page is a copy of the original page on the AVObjects' web site and can also be viewed here.

Steps required to use the HTTPS protocol.

Before you can start using the HTTPS protocol to communicate with a WRTP server, you need to create, install, and bind certificates.

Creating certificates

To create 2 debug certificates for testing the HTTPS protocol, you need to do the following:

1). Installing mkcert.exe

• open https://github.com/FiloSottile/mkcert/releases
• download the mkcert-v1.4.4-windows-amd64.exe file to the "C:\Program Files\mkcert" folder (create this folder) and rename it to mkcert.exe.
• add "C:\Program Files\mkcert" to PATH (system variables):
  Settings -> System -> About -> Advanced system settings -> Enviroment variables -> System variables\Path: press "Edit..." -> Press "New" -> put "C:\Program Files\mkcert" -> press OK -> press OK -> press OK -> Close Settings.About

2). Creating CA certificate (<user name> is name of curent user).

• remove old CA certificate from "C:\Users\<user name>\AppData\Local\mkcert" folder
• open Windows console (command prompt or Windows terminal) with administrator rights
• in the console window (header "Administrator: Command") enter:

  mkcert -install
  > Created a new local CA
  In "Security Warning" Dialog : press Yes
  > The local CA is now installed in the system trust store!

• The files "rootCA.pem" and "rootCA-key.pem" should have been created in the "C:\Users\<user name>\AppData\Local\mkcert" folder. Move them to some folder where you will store your certificates.

3). Creating work certificate cert.my for 4 names.
NOTE. IP address 192.168.1.999 is used as server IP address, please change it to your real IP address.

• in the console window (header "Administrator: Command") enter

  mkcert cert.my localhost 127.0.0.1 ::1 192.168.1.999
  > Created a new certificate valid for the following names
  > - "cert.my"
  > - "localhost"
  > - "127.0.0.1"
  > - "::1"
  > - "192.168.1.999"
  > The certificate is at "./cert.my+4.pem" and the key at "./cert.my+4-key.pem"

• The files "cert.my+4.pem" and "cert.my+4-key.pem" should have been created in the "C:\Windows\System32" folder. Move them to some folder where you will store your certificates.

4). Convert .pem files to .pfx files using the certutil tool.

• rename your .pem files:

  rootCA.pem -> rootCA.cer
  rootCA-key.pem -> rootCA.key
  cert.my+4.pem -> cert.my+4.cer
  cert.my+4-key.pem -> cert.my+4.key

• In the console window (header "Administrator: Command"), go to the folder containing the certificates:

  cd <folder with certificates>

• convert rootCA.cer and rootCA.key files to rootCA.pfx

  certutil -MergePFX rootCA.cer rootCA.pfx
  > Signature test passed
  > Enter new password for output file rootCA.pfx:
  > Enter new password:
  ******<Enter>
  > Confirm new password:
  ******<Enter>
  > CertUtil: -MergePFX command completed successfully.
The file "rootCA.pfx" should have been created in the <folder with certificates>.

• convert cert.my+4.cer and cert.my+4.key files to cert.my+4.pfx

  certutil -MergePFX cert.my+4.cer cert.my+4.pfx
  > Signature test passed
  > Enter new password for output file cert.my+4.pfx:
  > Enter new password:
  ******<Enter>
  > Confirm new password:
  ******<Enter>
  > CertUtil: -MergePFX command completed successfully.
The file "cert.my+4.pfx" should have been created in the <folder with certificates>.

Installing certificates

Both certificates are installed using the Microsoft Management Console:

1). Open MMC

• Windows Start -> Run -> mmc -> OK -> Yes
• Microsoft Management Console: Menu "File" -> "Add/Remove Snap-in..." -> "Add or Remove Snap-ins" dialog
• "Add or Remove Snap-ins" dialog: select "Certrificates" -> press "Add" -> "Certificates snap-in" dialog
• "Certificates snap-in" dialog : select "Computer account" -> press "Next >" -> "Select Computer" dialog
• "Select Computer" dialog: select "Local computer ..." (default) -> press "Finish" -> "Add or Remove Snap-ins"
• "Add or Remove Snap-ins" dialog: press "OK" button

2). Adding CA certificate rootCA.pfx

• "Certificates (Local Computer)" -> "Trusted Root Certification Authorities" -> "Certificates" -> right mouse button -> "All Tasks" -> "Import..." -> "Certificate Import Wizard"
• "Certificate Import Wizard" -> press "Next" -> "File to import" dialog
• "File to import" dialog -> put "rootCA.pfx" with path to "File Name:" or use "Browse..." to select "rootCA.pfx" file (use the drop-down list to the right of the "File name:" field to select .pfx file) -> press "Next" -> "Private key protection" dialog
• "Private key protection" -> enter CA certificate password from step 1d). to "Password" -> press "Next"
• "Certificate Store" -> select "Place all certificates ..." : "Trusted Root Certification Authorities" (selected by default) -> press "Next"
• "Completing the Certificate Import Wizard" -> press "Finish"
• If all is OK: box with "The import was successful" will be shown -> press "OK"

Now you can see certificate "mkcert <user name>\..." in "Trusted Root Certification Authorities" -> "Certificates".

3). Adding work certificate cert.my+4.pfx

• "Certificates (Local Computer)" -> "Personal" -> "Certificates" -> right mouse button -> "All Tasks" -> "Import..." -> "Certificate Import Wizard"
• "Certificate Import Wizard" -> press "Next" -> "File to import" dialog
• "File to import" dialog -> put "cert.my+4.pfx" with path to "File Name:" or use "Browse..." to select "cert.my+4.pfx" file (use the drop-down list to the right of the "File name:" field to select .pfx file) -> press "Next" -> "Private key protection" dialog
• "Private key protection" -> enter work certificate password from step 1d). to "Password" -> press "Next"
• "Certificate Store" -> select "Place all certificates ..." : "Personal" (selected by default) -> press "Next"
• "Completing the Certificate Import Wizard" -> press "Finish"
• If all is OK: box with "The import was successful" will be shown -> press "OK"

Now you can see certificate Issued To "<user name>\..." Issued By "mkcert <user name>\..." in "Personal" -> "Certificates".

Binding certificate

To use the certificate, it must be bound to an address:port.
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netsh-http

Adds SSL certificate binding for a specified IP address and port, along with corresponding client certificate policies, to securely manage HTTPS connections for the HTTP Service:
  netsh http add sslcert ipport=127.0.0.1:50000 certhash=0123456789abcdef0123456789abcdef01234567 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

Shows a list of SSL server certificate bindings for the specified ipport:
  netsh http show sslcert ipport=127.0.0.1:50000

Deletes SSL server certificate bindings for the specified ipport:
  netsh http delete sslcert ipport=127.0.0.1:50000

Options.

certhash: The certificate hash (often represented as a thumbprint) of the SSL certificate to be bound. It can be obtained (for example) from mmc (Microsoft Management Console):

• Windows Start -> Run -> mmc -> OK -> Yes
• Microsoft Management Console: Menu "File" -> "Add/Remove Snap-in..." -> "Add or Remove Snap-ins" dialog
• "Add or Remove Snap-ins" dialog: select "Certrificates" -> press "Add" -> "Certificates snap-in" dialog
• "Certificates snap-in" dialog : select "Computer account" -> press "Next >" button -> "Select Computer" dialog
• "Select Computer" dialog: select "Local computer ..." (selected by default) -> press "Finish" button -> "Add or Remove Snap-ins" dialog
• "Add or Remove Snap-ins" dialog: press "OK" button
• select "Certificates (Local Computer)" -> "Personal" -> "Certificates"
• double left mouse click on wanted certificate -> "Certificate" dialog
• "Certificate" dialog -> tab "Details" -> select "Thumbprint" field -> copy certhash

appid: You can use any GUID as the appid (is this an atavism? It was tested with GUID_NULL - everything works fine, no issues found).

certstorename: The name of the certificate store where the SSL certificate is located, default is "MY" ("Personal")

If you have any notes, comments or suggestions about the information on this page, please contact us at support@avobjects.com.