In this tutorial, you will learn how to install an SSL certificate on an Adobe Connect on-premise server. Adobe Connect does not have a built-in SSL panel, so HTTPS is handled by placing stunnel in front of the application server to terminate TLS, then telling Connect it is running behind SSL.
Generate a CSR code for Adobe Connect
If you have already generated your CSR code and received the signed SSL certificate from your Certificate Authority, skip the CSR section and jump straight to the installation.
CSR stands for Certificate Signing Request, a block of encoded text containing the contact and domain details that every SSL applicant sends to the Certificate Authority during enrollment. Adobe Connect cannot create a CSR from its interface, so you generate it with an external tool. You have two options:
- Use our CSR Generator to create the CSR and private key automatically. It is quick and convenient.
- Generate the CSR yourself with the OpenSSL utility on any machine that has it installed.
Submit the CSR to the Certificate Authority during your order. After the CA validates it and issues your certificate, continue with the steps below. Keep the matching private key safe, you will need it for stunnel.
What you need before installation
- Your certificate and private key in PEM format, in separate files. If your CA sent the certificate in another format (for example PFX or P7B), convert it to PEM first with OpenSSL.
- The private key must have no passphrase. stunnel starts as a Windows service and cannot prompt for one, so a passphrase-protected key will stop the service from loading.
- The latest stunnel installer for Windows. Download it here before continuing. (Skip stunnel only if you plan to terminate SSL on an external device such as a load balancer.)
- Administrator access to the Adobe Connect server so you can install a service and edit the configuration files.
Version note: these steps apply to current on-premise Adobe Connect (the 12.x line, with 12.11 released in December 2025) as well as older 9.x, 10.x, and 11.x installs. The configuration files and the stunnel approach are the same across versions; only the install folder differs (for example C:\Connect\12.x\ instead of C:\Connect\9.x\). Substitute your actual version folder throughout. Adobe Connect on-premise is a specialized product, so always cross-check the paths against the version you are running.
Install the SSL certificate on Adobe Connect
Step 1: Install stunnel and place your certificate files
Run the stunnel installer. When it asks for the install path, choose a folder inside your Connect home directory, for example C:\Connect\stunnel\. This path is not mandatory, but keeping everything in one place is convenient.
Inside the stunnel folder, check for a certs subfolder (for example C:\Connect\stunnel\certs\). If it does not exist, create it, then copy your certificate (.pem) and private key (.key) into it.
Step 2: Configure stunnel.conf
Open C:\Connect\stunnel\config\stunnel.conf (older builds use a conf folder) and replace its contents with the configuration below. This sample restricts the server to TLS 1.2 and TLS 1.3 and a modern cipher list, which the original Adobe sample did not do.
; Restrict to modern TLS only (TLS 1.0/1.1 and SSLv2/SSLv3 are disabled)
sslVersionMin = TLSv1.2
sslVersionMax = TLSv1.3
options = CIPHER_SERVER_PREFERENCE
renegotiation = no
fips = no
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose = 0
; Application server SSL / HTTPS
[https-vip]
accept = 10.1.1.1:443
connect = 127.0.0.1:8443
cert = C:\Connect\stunnel\certs\public_certificate_app-server.pem
key = C:\Connect\stunnel\certs\private_key_app-server.key
; TLS 1.2 cipher list (TLS 1.3 ciphersuites are negotiated automatically)
ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
Adjust three things to match your server:
- accept: replace 10.1.1.1 with the public IP address of your Connect server. This is the address stunnel listens on for HTTPS.
- cert: the full path to your public certificate (PEM).
- key: the full path to your private key.
The connect = 127.0.0.1:8443 line forwards decrypted traffic to the Connect application server on the local machine. Leave it as is unless your app server uses a different port.
Step 3: Test stunnel manually
Before installing stunnel as a service, confirm it starts with your certificate and IP. Double-click stunnel.exe in the bin folder, then click the new stunnel icon in the notification area (near the clock, bottom right) to open the log window. A successful start ends with a line like this:
LOG5[main]: Configuration successful
If you see an error instead, recheck the certificate and key paths and confirm the key has no passphrase. Once the log is clean, right-click the icon and exit stunnel.
Step 4: Install stunnel as a Windows service
So stunnel starts automatically with the server, install it as a service. Press Windows+R, type cmd, and click OK to open a command prompt. Change to the stunnel bin directory and run:
cd C:\Connect\stunnel\bin
stunnel.exe -install
Then open the Services console (Control Panel, then Administrative Tools, or run services.msc) and confirm the stunnel service is present and set to an Automatic startup type.
Step 5: Tell Adobe Connect it is behind SSL (custom.ini)
Open custom.ini in your Connect install folder (for example C:\Connect\12.x\) and add the following lines:
ADMIN_PROTOCOL=https://
SSL_ONLY=yes
HTTPS_PORT=8443
SSL_ONLY=yes forces all Connect traffic over HTTPS, and HTTPS_PORT must match the port stunnel forwards to in Step 2.
Step 6: Enable the HTTPS connector in server.xml
Open C:\Connect\12.x\appserv\conf\server.xml and find the commented-out HTTPS executor and connector blocks. Uncomment them so they are active. They should look like the example below. Note that SSLEnabled stays false here on purpose: stunnel does the TLS work, and Connect simply listens for the already-decrypted traffic on port 8443.
<Executor name="httpsThreadPool"
namePrefix="https-8443-"
maxThreads="350"
minSpareThreads="25"/>
<Connector executor="httpsThreadPool"
port="8443"
protocol="HTTP/1.1"
enableLookups="false"
acceptCount="250"
connectionTimeout="20000"
SSLEnabled="false"
scheme="https"
secure="true"
proxyPort="443"
URIEncoding="utf-8"/>
proxyPort=”443″ tells Connect that clients reach it on the standard HTTPS port (stunnel’s accept port), even though the connector itself listens on 8443.
Step 7: Restart the services and verify
Restart all three services so the new configuration takes effect: Adobe Connect Service, Adobe Media Server (or Adobe Connect Telephony/Transmuxing service, depending on your version), and stunnel.
Then open your Connect URL in a browser over https:// and confirm the padlock appears with no warning. To check the certificate chain, expiry, and protocol from outside, run our SSL Checker against your domain. That’s it: SSL is now active on your Adobe Connect server.
Frequently Asked Questions
No. Adobe Connect on-premise has no SSL panel in its interface. HTTPS is added by terminating TLS in front of the application server, either with stunnel (the software method shown above) or on a dedicated load balancer or SSL accelerator. Adobe Connect’s hosted (cloud) service is already served over HTTPS by Adobe, so this tutorial applies only to on-premise installations.
stunnel uses PEM format, with the certificate and private key in separate files, and the key must have no passphrase. If your CA sent a PFX, P7B, or DER file, convert it to PEM first. Many administrators also append the intermediate (CA bundle) certificates to the certificate file so the full chain is served.
stunnel listens for HTTPS on port 443, decrypts the traffic, and forwards it as plain HTTP to the Adobe Connect application server on 127.0.0.1:8443. The connector in server.xml listens on 8443 with SSLEnabled=”false” because the encryption has already been handled by stunnel. The HTTPS_PORT value in custom.ini must match this port.
Yes. For production and clustered deployments, Adobe recommends terminating SSL on a hardware load balancer or SSL accelerator and pointing it at port 8443 on each Connect server. In that case you skip the stunnel steps and still set ADMIN_PROTOCOL, SSL_ONLY, and the HTTPS connector so Connect knows it is behind SSL. stunnel is the simplest option for single-server, lab, or smaller deployments.
Confirm the stunnel service is running and its log shows Configuration successful, that the private key has no passphrase, and that the accept IP in stunnel.conf is the server’s real public IP. Then verify the HTTPS_PORT in custom.ini matches the connector port in server.xml (8443) and that you restarted all services. A mismatched port or a passphrase-protected key are the two most common causes.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


