Get SSL/TLS certificates from the Wowza Streaming Engine StreamLock service

Learn how to obtain a StreamLock™ certificate and use it for SSL/TLS network encryption in a variety of Wowza Streaming Engine™ workflows. The Wowza StreamLock service provides near-instant provisioning of free 2048-bit Secure Sockets Layer (SSL) and Transport Layer Security (TLS) certificates. Wowza StreamLock certificates are available for Wowza Streaming Engine licenses with active maintenance and support, including trial licenses.

Use cases

  • Streaming over HTTPS, RTMPS, RTSPS, and WOWZS.
  • Workflows that require SSL/TLS, including streaming with Low-Latency HLS or WebRTC and streaming to Facebook Live.
  • Sending HTTPS requests to the Wowza Streaming Engine REST API.

For more information about use cases for using SSL/TLS with Wowza Streaming Engine, see Understanding SSL/TLS.

Before you start


You should have access to the following items:

  • A Wowza Streaming Engine license with active maintenance and support. The number of StreamLock certificates you can create with different licenses varies.
  • The public IP address of the Wowza Streaming Engine instance where the certificate will be installed. The IP address is listed as Host - Server on the Home page in Wowza Streaming Engine Manager under Application Connection Settings.

1. Request and download a StreamLock certificate


  1. Log in to your Wowza.com account from the Account Management page and then click the StreamLock tab. 

    StreamLock tab on the My Account page of the Wowza Portal

  2. Select the Wowza Streaming Engine license key to associate with the certificate. 

    StreamLock certificate application

    You can only select licenses with active maintenance and support. If your license key has been allocated the maximum number of StreamLock certificates (2 for Subscription or 1 for Perpetual and Trial licenses), contact Customer Service.

  3. Enter the public IP address of the Wowza Streaming Engine instance where the certificate will be installed.

    The IP address is listed as Host - Server on the Home page in Wowza Streaming Engine Manager under Application Connection Settings.

  4. Click Apply for SSL Certificate.

    Your new certificate appears under My SSL certificates. It may take up to an hour for your certificate to become available for download.

    StreamLock certificates list

  5. Click Download certificate under Certificate Information.  
  6. Enter a password for the certificate.
    Note: Requirements for a valid password include:
    • 6 to 30 characters
    • Begins with an alphabetic character (a letter)
    • Only alphanumeric characters and special characters like underscore (_), dollar ($), pound (#)
    • At least one number

    The password you create here must be entered when configuring Wowza Streaming Engine to use the certificate. Every time you download your certificate, the StreamLock service prompts you to create a new password to encrypt the certificate. 

After downloading your certificate (.jks file), you need to configure your Wowza Streaming Engine instances to use it.

2. Configure Wowza Streaming Engine to use your StreamLock certificate


  1. Move the downloaded certificate file (.jks) to the [install-dir]/conf folder for your Wowza Streaming Engine instance.
  2. Open Wowza Streaming Engine Manager and click the Server tab.
     
  3. Click Virtual Host Setup in the contents panel.
  4. Click Edit.
     
  5. Click Add Host Port under Host Ports.

    The host port configuration form opens.

    add a new host port

  6. Configure the host port by providing the following information and then click Add:
     
    • Name – Enter a unique name for your certificate.
       
    • Type – Select Streaming.
       
    • IP Address – Enter an asterisk (*) to allow listening for traffic on all network interfaces or specify the IP address of a specific network interface.
       
    • Port(s) – Enter 443.
       
    • Enable SSL/StreamLock –  Select to enable Wowza Streaming Engine to use the certificate.
    • Keystore Path – Specify the location of your certificate (.jks file) in the following format:
      ${com.wowza.wms.context.VHostConfigHome}/conf/[ssl-certificate-domain-name].jks
      

      where [ssl-certificate-domain-name] is the file name of the certificate, as in the following example:

      ${com.wowza.wms.context.VHostConfigHome}/conf/5ab4321c0d123.streamlock.net.jks

    • Keystore Password – Enter the password you created when you downloaded your certificate.
    • Use WebRTC – Select to enable the host port to support WebRTC signaling if you configured your application to publish or play WebRTC streams. This is required for WebRTC streaming.
  7. Click Save.
     
  8. Restart the virtual host to apply your changes.
     

Now you can test your setup to ensure you can connect to Wowza Streaming Engine with SSL/TLS.

Note: In some instances when creating a StreamLock host port, port 443 is already claimed by the Default Streaming host port along with your StreamLock host port. In that case, remove port 443 from the Default Streaming host port field on the Virtual Host Setup page. Click EditEdit this host port, and delete 443 from the list of ports.

configure host port

3. Test the SSL/TLS connection


Run an OpenSSL command to quickly confirm that you configured your SSL/TLS connection with Wowza Streaming Engine correctly.

  1. Open a Terminal window and execute one of the following OpenSSL commands, where [ssl-certificate-domain-name] is the domain name of the certificate.
    • Test the SSL/TLS connection to the server:
      openssl s_client -connect [ssl-certificate-domain-name]:443
    • Test the SSL/TLS connection to the server and display the certificate contents:
      openssl s_client -showcerts -connect [ssl-certificate-domain-name]:443
  2. Verify that you get a response that begins with CONNECTED and references the certificate.

We recommend also testing your complete workflow with playback of a stream with a secure playback URL and the player of your choice. In the playback URL, your SSL/TLS certificate domain is used as the address.

More resources