RTSPS (Secure RTSP)
Overview
RTSPS (Secure RTSP) is RTSP transported over TLS encryption, similar to how HTTPS secures HTTP.
RTSPS protects the RTSP control channel and may also carry interleaved RTP media inside the encrypted connection.
What RTSPS Protects
RTSPS encrypts:
- RTSP commands (SETUP, PLAY, TEARDOWN)
- Session control information
- Credentials and headers
RTSPS may also transport:
- RTP audio and video interleaved over TLS
TLS Certificate Requirement
RTSPS requires a TLS certificate.
ITVDesk uses a certificate and private key stored locally.
Best practice is to manage certificates using the built-in UI (Global or per-camera). Manual file replacement is supported but is mainly intended for advanced deployments.
Certificate Management (UI)
ITVDesk provides built-in certificate management in the UI.
Where To Find It
In the Front Application:
- Open the
Securitytab - Open
Certificate Management
What You Can Manage
1. Global TLS Certificate
This certificate pair is used by default for:
- RTSPS (RTSP over TLS)
- HTTPS / ONVIF over HTTPS (when enabled)
Workflow:
- Browse to select a certificate (
.ca/.pem) and private key (.key) - Validate the pair
- Save to the canonical location (
ssl.ca/ssl.key)
2. Per-Camera TLS Certificate
You can apply a certificate pair to a specific virtual camera.
Options:
- Use the global certificate pair
- Use a custom certificate pair per camera
Notes:
- After applying, reconnect clients as needed (existing TLS sessions keep using the old certificate).
- Some VMS/NVR systems require a trusted certificate chain; self-signed certificates may be rejected.
Generate Certificates (Terminal)
If you want to generate your own certificates, see:
👉 Generate TLS Certificates (OpenSSL)
Default Certificate Location
When you click Save in the UI, ITVDesk copies the selected pair to the
canonical filenames:
ssl.cassl.key
These files are stored in the same folder as the ITVDesk executable (application directory). The exact path depends on where ITVDesk is installed.
By default, RTSPS uses the global certificate material (ssl.ca / ssl.key).
If a per-camera certificate is applied, that camera uses its own pair instead.
If you are unsure where the files are located, open Security → Certificate Management.
The UI shows the currently loaded certificate/key paths.
After changing the certificate or key (UI or manual):
- Reconnect the client (or restart the VMS/NVR stream)
- Verify RTSPS connectivity with the client
How RTSPS Works in ITVDesk
When RTSPS is enabled:
- New stream URLs start with
rtsps:// - A dedicated secure RTSPS port is used
- RTSP and RTP are transported inside a TLS session
Example:
rtsps://<ITVDESK_IP>:<RTSPS_PORT>/ipc1-stream1/screenlive
Standard RTSP (rtsp://) remains available as a fallback option.
Default Behavior
When configured as default:
- ONVIF clients receive
rtsps://URLs - RTSP connections attempt secure transport first
- Plain RTSP remains available unless explicitly disabled
Compatibility Warning
Most NVR and VMS systems do not support RTSPS.
If a client does not support RTSPS:
- Connection will fail
- Playback will not start
In such cases:
- Disable RTSPS as default
- Use standard RTSP or RTSP over TCP instead
When to Use RTSPS
Use RTSPS when:
- Control-plane encryption is mandatory
- Media and control must share a single secure channel
- Client compatibility is verified
- Operating in high-security environments
When NOT to Use RTSPS
Avoid RTSPS when:
- Using third-party NVR/VMS systems
- Broad compatibility is required
- Multicast streaming is needed
- Low-latency streaming is critical
RTSPS vs SRTP
| Feature | RTSPS | SRTP |
|---|---|---|
| Encrypts control | ✅ | ❌ |
| Encrypts media | ⚠️ (interleaved) | ✅ |
| Certificate required | ✅ | ❌ |
| Multicast support | ❌ | ❌ |
| Compatibility | Low | Medium |
RTSPS and SRTP solve different security problems.
Summary
RTSPS in ITVDesk:
- Secures RTSP signaling using TLS
- Uses local certificate and private key
- Has limited client compatibility
- Should not be enabled by default without testing
Use RTSPS only when required and supported by the client.