Jump to content

HOWTO: Use custom SSL cert and keep private key secure


Recommended Posts

I purchased my own domain certificate and then I had a crazy time trying to figure out why my pfx file wouldn't work. After much reading around it seemed that in order to make it work I had to use a pfx file (cert+private key) with no password in place. For me this wasn't an option, as I'm crazy paranoid that by creating this it would then be possible for someone to get their hands on it and then somehow and then be able to compromise my sites (wildcard cert). So instead, I made Emby work with a secure pfx file. Here is my howto....



Active Directory enabled domain

A Windows Server (2012 or higher) or a Windows workstation (Windows 8 or higher) joined to the domain - I used my Emby server for this

SSL Certificate - I used one I had purchased


Setup Emby Service Account:

1. In Active Directory create a user account that will be used to launch the Emby service - I placed mine under Managed Service Accounts

2. On the Emby server open Control Panel and type Services

3. Locate the Emby Server service, right click on it the service and choose Properties

4. Click on the Log On tab, select "This Account" radio button and enter in the username and password you created in Step 1, click OK and then Close the Services window

5. Still inside Control Panel, click on User Accounts, then select Give other users access to this computer

6. Click Add then add the Emby user information from Step 1 and click Next

7. Select Administrator and click Next, then Finish


Preparing your secured pfx file:

1. Using a Windows 2012/2012R2 Server or Windows 8/8.1/10 workstation, with Control Panel still open type "certificate"

2. Import your certificate making sure to mark it as exportable.

3. Right click on the certificate that was just imported and choose Export

4. Mark "Yes, export the private key", click Next until you reach the Security screen

5. Check the "Group or user names", this will automatically input the user you're using. Remove that user and click Add, then add the Emby user created in Step 1 in the above section. Click Next

6. Give it a filename, I would HIGHLY recommend you do NOT name it the same as your original cert/pfx file since this will be used for this situation only. Click Next, then Finish

7. Once the two things above are done then assign the key as you would normally in Emby - Advanced/Custom certificate path



Finally, reboot the server/workstation. This isn't 100% needed, but I like to do it to verify everything works correctly. If you don't do this then make sure to go back into Services and start or restart the Emby Server service.


Another suggestion, but not needed for this to work, is to have the certificate saved in a folder by itself (C:\Windows\EmbyCert or some other generic spot). Then edit that folders security settings removing all users except for the Emby account you created. Assign that Emby account with Read access.


There you go, Emby is now using your SSL certificate, and you don't have a certificate/private key combo sitting on your machine with no protection on it.



Edited to correct some grammatical and spelling errors.

Edited by carlbme
  • Like 13
Link to comment
Share on other sites

  • 2 months later...

Well done, thanks for taking the time to share with the community as I'm sure some will find this helpful.

Edited by Olywa123
Link to comment
Share on other sites

  • 2 weeks later...

I would like to add my .02 when trying this on windows server 2012 while trying to not require an Admin Account


Windows Server 2012 Auto Startup Service with SSL Non Admin Account
1. In the Active Directory, create a user (eg EmbyEncrypt) Leave as regular User/Domain User
2. In the Windows Services, look for Emby Server. Right Click-> Porperties
a. General Tab: Startup Type Auto or Auto Delayed
b. Log On Tab: Under Log On As: select "This Account" and add the user that was created in step 1 ( EmbyEncrypt) and password.
3. Export the Certificate using Certificate Manager (Certmgr.msc)
a. Locate the Certificate. Right Click on it -> All Tasks -> Export
b. Yes, Export the Private Key
c. Personal Information Exchange-PKCS #12 (.PFX) 
c2. Include all certificates in the certification path if possible
d. Select Group or User Names and remove the current user and add the user created in step 1 (EmbyEncrypt)
e. Save the file to any directory in the server. Remember this directory.
4. Navigate to where the certificate was saved and Right Click on it -> Properties -> Security Tab -> Edit
a. Add the user created in step 1 (EmbyEncrypt) and allow it Read permissions only
5. Under the Advanced Settings of Emby, under Custom Certificate Path, add the Certificate that was exported in step 3. Save Changes
6. Under Basic Settings of Emby, make sure "Run server at startup" is not checked
  • Like 1
Link to comment
Share on other sites



I tried using this how-to to install SSL certificate into my Emby server but I have a problem at the step 5 of preparing secured pfx file:

The problem is that "Group and User Names" option is greyed out.


Just to give some context:

- as a base I use letsencrypt certificate

- I used CLI command `openssl pkcs12 -export -out "certificate.pfx" -inkey "privkey1.pem" -in "cert1.pem" -certfile fullchain1.pem` on the linux machine to create certifacate.pfx to use with this how-to

- Emby server is running on Windows 10 machine

- certificate was imported under Personal -> Certificate using wizard (ste2 of the last part)


Can someone provide any assistance? Thank you!

Link to comment
Share on other sites

  • 1 month later...

Do any of you guys kno if Truecrypt can be used with Emby. I've been told Truecrypt is once again safe to use and have ead articles on these 2 sites. Anybody have thoughts on still using Truecrypt?    https://www.grc.com/misc/truecrypt/truecrypt.htm      https://truecrypt.ch

Edited by blueeyiz7021
Link to comment
Share on other sites

Do any of you guys kno if Truecrypt can be used with Emby. I've been told Truecrypt is once again safe to use and have ead articles on these 2 sites. Anybody have thoughts on still using Truecrypt?    https://www.grc.com/misc/truecrypt/truecrypt.htm      https://truecrypt.ch


I'd suggest you to use VeraCrypt, instead. It is a very good successor of TrueCrypt and it is OpenSource.

Link to comment
Share on other sites


I'd suggest you to use VeraCrypt, instead. It is a very good successor of TrueCrypt and it is OpenSource.

thank you,appreciate it.

Link to comment
Share on other sites

  • 4 months later...
Sludge Vohaul

This is slightly offtopic, but a few years ago I had the incredibly stupid idea to set up a certificate based WLAN authentication at home (which has been working w/o any problems since then). I wanted to be my own certification authority (CA) and to be able to issue locally trusted certificates for various purposes, like e.g the Wlan authentication, signing of iOS configuration packages, and and also for signing locally trusted server certificates for https and the like. 


I had quite a lot of fights with openssl, as I had the even more stupid idea to use Intermediate CAs (which I gave up later on, due to the administrative overhead), and was searching for a simpler solution to handle the lifetime of certificates. I have found 




which since then has been working perfectly for me.


I really recommend this approach to learn how the whole thing works - create your own CA, import the CA's cert into your windows cert store, create a server certificate, handle your cert signing requests, sign them with your CA, copy the certs to your servers and see (or not) the magic...


You can ask me if you have any questions, I might even give you an answer in case I still know what and why I have done back then.. :)

Edited by Sludge Vohaul
Link to comment
Share on other sites

  • 10 months later...

Emby fully supports .pfx files with passwords. There is a field on the SSL cert config screen that allows you to enter the password. Thanks.

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...