Get SSL/TLS certificates from the Wowza Streaming Engine StreamLock service

Wowza StreamLock™ service is a security option for network encryption that provides near-instant provisioning of free 2048-bit Secure Sockets Layer (SSL) and Transport Layer Security (TLS) certificates for use with Wowza Streaming Engine™ media server software. StreamLock SSL/TLS certificates provide the best security when used with RTMP and they can also be used for secure HTTP streaming (HTTPS).

Note: Wowza StreamLock certificates are available for Wowza Streaming Engine licenses with active maintenance and support, including trial licenses. As an alternative, you can also use your own SSL/TLS certificate.

Before you begin


To create StreamLock certificates, you need to have a Wowza account with any Wowza Streaming Engine license with active maintenance and support.

If your account has multiple licenses with active maintenance and support associated with it, before you request a StreamLock certificate, you should determine which license key you want the certificate to be associated with. The number of StreamLock certificates you can create with different licenses varies.

You also need to identify the public IP address of the Wowza Streaming Engine instance where the certificate will be installed. The IP address is listed as Host - Server on the Home page in Wowza Streaming Engine Manager under Application Connection Settings.

Request and download a StreamLock certificate


  1. Log in to your Wowza account from the Account Management page and go to the StreamLock tab. This page has a form to apply for a StreamLock certificate and lists any existing certificates.
     
  2. Select the Wowza license key you want associated with the certificate. Only licenses with active maintenance and support can be used.
     
  3. Enter the public IP address of the Wowza Streaming Engine instance where the certificate will be installed. The IP address is listed as Host - Server on the Home page in Wowza Streaming Engine Manager under Application Connection Settings.
     
  4. Click Apply for SSL Certificate. In the My SSL Certificates table, you will see your certificate listed. It may take up to an hour for your certificate to become available for download.
  5. Click Download certificate under Certificate Information for each certificate that you want to download.  
  6. Enter a password for the certificate. Every time you download your certificate, you will be prompted to create a password to encrypt the certificate. The password you create here will need to be entered when configuring Wowza Streaming Engine to use the StreamLock certificate.

All StreamLock certificates associated with your account are listed in the My SSL certificates table. The certificate table provides detailed information about each certificate including the StreamLock hostname, when it was issued, and who it's registered to. If your license key has been allocated the maximum number of StreamLock certificates (2 for Subscription or 1 for Perpetual, Developer Trial, and Trial licenses), contact Customer Service.

Notes:
  • Be sure to note the StreamLock hostname value for the certificate in the My SSL certificates table under Hostname. You'll use it in place of [ssl-certificate-domain-name] when you configure client applications to connect to Wowza Streaming Engine over an SSL/TLS connection.
     
  • If an error occurs when you're requesting the certificate, follow the instructions on the StreamLock tab. If you still have problems acquiring a certificate, contact Customer Service.

Configure Wowza Streaming Engine to use your StreamLock certificate


Install your StreamLock certificate

Copy the downloaded certificate (.jks) file to the [install-dir]/conf folder for your Wowza Streaming Engine instance.

Configure a host port to use the StreamLock certificate for Wowza Streaming Engine

Note: If you upgrade your Wowza Media Server to Wowza Streaming Engine, you can migrate your existing StreamLock certificates to software and configure them with these instructions.
  1. In Wowza Streaming Engine Manager, click the Server tab, and then click Virtual Host Setup in the contents panel.



     
  2. In the Virtual Host Setup page, click Edit.
     
  3. Scroll down to Host Ports settings area and click Add Host Port.

     
  4. In the Add a new host port dialog box, enter the following data, and then click Add:
     
    • Name – Enter StreamLock (or any other custom name).
       
    • Type – Select Streaming.
       
    • IP Address – Enter an asterisk (*) to serve as a wildcard character. A wildcard (*) allows listening for traffic on all network interfaces. You can specify the IP address of a specific network interface, which will limit traffic to the specified interface.
       
    • Port(s) – Enter 443.
       
    • Select Enable SSL/StreamLock.
    • Keystore Path – Specify the location of your StreamLock certificate (.jks file). If your StreamLock certificate is in the [install-dir]/conf directory, as described above, enter the following:

      ${com.wowza.wms.context.VHostConfigHome}/conf/[ssl-certificate-domain-name].jks

      where [ssl-certificate-domain-name] is replaced with the hostname, or domain name, of the StreamLock certificate, as in the following example:

      ${com.wowza.wms.context.VHostConfigHome}/conf/5ab4321c0d123.streamlock.net.jks

    • Keystore password – Enter the StreamLock certificate password. This is the password you created when you downloaded your certificate from the StreamLock tab on the Account Management page.
    • Use WebRTC - (Wowza Streaming Engine 4.8.5 and later) Select this setting to enable the host port to support WebRTC signaling. After enabling the host port for WebRTC, use the Applications tab and WebRTC page to configure your application to ingest and play WebRTC streams.

    VHost configuration dialog

  5. Click Save.


     
  6. Restart the virtual host (VHost) when prompted to apply the changes.
     

(Optional) Test your SSL/TLS connection


We recommend testing your complete workflow with playback of a stream with a secure playback URL and the player of your choice using the instructions for testing playback in an article that applies to your specific workflow. In the playback URL, your StreamLock certificate hostname is used as the address or domain name. For example, to play the installed sample.mp4 file with the default vod application, the HLS playback URL would be as follows:

https://[ssl-certificate-domain-name]:443/vod/mp4:sample.mp4/playlist.m3u8

where [ssl-certificate-domain-name] is the hostname, or domain name, of the StreamLock certificate, as in the following example:

https://5ab4321c0d123.streamlock.net:443/vod/mp4:sample.mp4/playlist.m3u8

Alternatively, you can also run a simple OpenSSL command to quickly confirm you correctly configured your StreamLock certificate and SSL/TLS connection with Wowza Streaming Engine.

Use one of the following OpenSSL commands to quickly test your Wowza Streaming Engine server's StreamLock certificate configuration and SSL/TLS connection, where [ssl-certificate-domain-name] is the certificate hostname:

To test the SSL/TLS connection to the server:

openssl s_client -connect [ssl-certificate-domain-name]:443

To test the SSL/TLS connection and display the certificates:

openssl s_client -showcerts -connect [ssl-certificate-domain-name]:443

You should get a response that begins with CONNECTED and references the certificate. If you do, you have correctly configured your StreamLock certificate and SSL/TLS connection with Wowza Streaming Engine for secure playback over HTTPS or RTMPS.

More resources