How to Use Self-signed SSL Certificates for Plex Media Server

plexPlex is a fork of the Open Source Kodi (previously XBMC) project from 2008, the Plex Media Server has evolved into what amounts to a free,  personal Netflix + Spotify that lets you stream home content to devices or browsers with an optional subscription model for added features.  Here’s how to use your own self-signed SSL certificates to encrypt connection streams.


Getting Started
I am going to assume you have Plex Media Server already setup, if not there are plenty of other guides to do this.  We will focus on creating, installing and using your own self-signed SSL certificates to encrypt connection streams to the outside world.  This is aimed for a CentOS7/RHEL7 installation, substitute appropriately for other Linux distributions.

Install the Requirements
We’re going to be using the openssl commands and a Python script to create our certificates.

yum install openssl pyOpenSSL wget -y

Create the SSL certificates
We’re going to do everything else as the plex user inside their home directory.

su - plex -s /bin/bash
mkdir -p ~/certificates/plex && cd !$
openssl genrsa -des3 -out plex.key 1024

This will prompt you for a passphrase, enter something here and remember it.

Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for plex.key:
Verifying - Enter pass phrase for plex.key:

Create the CSR
Next you’ll create the certificate signing request and be prompted with some questions.  You can enter any value you want here, don’t overthink it.  The only important thing that must match is the Common Name which should be valid FQDN / hostname of your home machine where any external clients will connect.  There are plenty of free services that provide dynamic DNS for this if you don’t have the ability to add an A record somewhere.

openssl req -new -key plex.key -out plex.csr

Strip Out Passphrase
Now we’re going to strip the passphrase out of the keyfile, it will prompt you one more time for the passphrase.

cp plex.key
openssl rsa -in -out plex.key

Create the Certificate

openssl x509 -req -days 5475 -in plex.csr -signkey plex.key -out plex.crt

Create the PKCS12 Certificate
Plex requires a pkcs12 certificate to be generated, but we’re going to use a python script for that.  You first need your ProcessedMachineIdentifier number from your Plex installation, thanks to the Reddit post that cleared this up.

Obtain your PMI Number
Obtain the long 30-35 character alphanumeric string after ProcessedMachineIdentifier= in the following file:

cat /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Preferences.xml

Let’s assume mine is ProcessedMachineIdentifier=”547bzw4423296e0ba072364f11c84kj3fae632ld5” for this example.

Bring it Home
Now you’ll snag the following Python tool, it will create your pkcs12 certificate as well as generate a long hash that you’ll need for Plex as the “private key” (this is confusing as you’d normally think it refers to your actual private key – not so.


The syntax is plex.cert plex.key ProcessedMachineIdentifier

python plex.crt plex.key 547bzw4423296e0ba072364f11c84kj3fae632ld5

If all is well you’ll see a long hash as the return, save this as you’ll need this later.  It will also generate a certificate.p12 file.

You should see something like this (save it).


At this point you should have the following items ready – certificate.p12 and the long hash above.  Let’s move on to installing this in Plex.

Installing Certificate in Plex
Login to Plex Media Server and go to Settings -> Server -> Network and place the above info like below – the path to the certificate.p12 and the really long hash that was generated earlier.  You will also want to put the Common Name you entered during SSL certificate creation here in the custom certificate domain area.

NOTE: Be sure that the permissions are correct on the certificates, they should be owned by the plex user.  While you’re there set secure connections to required, at this stage in Plex development all clients should work fine with it.


Lastly make sure you enter the full URL for your home server under Custom Server Access URLs.


Save your settings and restart Plex Media Server.  You can also take a look at the logs to make sure everything is humming along – mine were located in /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs/Plex\ Media\ Server.log

systemctl restart plexmediaserver

NOTE: Router and DNS Rebinding
Plex does some interesting trickery with DNS rebinding to make their wildcard certificates work along with your own self-signed certificates for connection streams once authentication is finished.  If you’re using a popular Open Source router firmware like Tomato you’ll want to apply an option in DNSMASQ to allow for this.

I am running an ASUS RT-N66U on Tomato Shibby, so I use the following settings in Advanced -> DNS/DHCP DNSMASQ configuration (may need to reboot router to take effect).



You should now be able to refresh your Plex server URL and be prompted to accept a self-signed certificate.  Click view and you should see the details you entered earlier when you created it.  Happy Plexing!

About Will Foster

hobo devop/sysadmin, all-around nice guy.
This entry was posted in open source, sysadmin and tagged , , , , , . Bookmark the permalink.

4 Responses to How to Use Self-signed SSL Certificates for Plex Media Server

  1. arnaud says:

    Hey, Great Tutorial from you :)

    But also with your Tutorial i get following entry inside of the Plex.log

    “Dec 24, 2016 23:59:06.574 [0x7000007be000] ERROR – CERT: Found a user-provided certificate, but couldn’t install it.”

    Andy ideas?

    Thanks a lot



Have a Squat, Leave a Reply ..

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s