How to import an existing SSL certificate and private key

This article describes how to install an existing secure sockets layer (SSL) certificate. This process requires the use of the command line tool keytool that comes with the Java JRE that installs with Wowza Streaming Engine™ media server software.

Contents

Requirements for using an existing SSL certificate
Convert the certificate and private key to PKCS 12 (.p12)
Import the certificate to the keystore
Configure a <HostPort> to use the certificate
Test the certificate and the Wowza Streaming Engine configuration
Troubleshoot the certificate and configuration

Requirements for using an existing SSL certificate


To use an existing SSL certificate you must use the command line tool and have a signed SSL certificate.

Configure the Java JRE

The command line tool keytool is included in the Java JRE that installs with Wowza Streaming Engine media server software. Be sure that the bin folder of your Java JRE installation is added to your PATH environment variable. If the PATH variable is configured correctly, you should be able to open a command prompt and execute the keytool command. This should return the command reference for the keytool command. After you have the keytool command up and running, proceed to the following steps

Get an SSL certificate

This process requires you to have an existing SSL certificate that you want to configure your Wowza Streaming Engine installation to use. If you do not have an SSL certificate already, see one of the following for instructions on generating and using a new SSL certificate:
 

Convert the certificate and private key to PKCS 12 (.p12)


The command line tool keytool doesn't support the direct importation of private key information to a keystore (.JKS). Instead, you must convert the certificate and private key into a PKCS 12 (.p12) file, which can then be imported into your keystore. To convert the certificate and private key to the PKCS 12 format, do the following:
 
Note: These instructions require the OpenSSL toolkit.
  1. Open a command line prompt and change directory to [install-dir]/conf.
     
  2. Execute the following command to convert the existing signed certificate and key files to a .p12 file:
    openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]

Import the certificate to the keystore


To import the PKCS 12 certificate and private key into the keystore, do the following:
 
  1. Import the .p12 file to a keystore (.jks) by executing the following command:
    keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12
    Where the [password] is the original password set when the private key was created.
     
  2. Execute the following command to import the ca_bundle file into the keystore:
    keytool -import -alias bundle -trustcacerts -file [ca_bundle] -keystore [filename-new-keystore.jks]

Configure a <HostPort> to use the certificate


Open the [install-dir]/conf/VHost.xml file in a text editor and make the following changes:
 
  1. Uncomment the <HostPort> definition for port 443. This entry follows the comment <!-- 443 with SSL -->. Be sure to remove the comment before <HostPort> and after </HostPort>.
     
  2. Set the value SSLConfig/KeyStorePath to:
    ${com.wowza.wms.context.VHostConfigHome}/conf/ssl.mycompany.com.jks
  3. Set the SSLConfig/KeyStorePassword to the key store password entered above.
     
  4. Restart your Wowza Streaming Engine.

Test the certificate and the Wowza Streaming Engine configuration


o test that the SSL certificate is working properly and the Wowza Streaming Engine is configured to use the SSL certificate, do the following:
 
  1. Use an editor, such as vi, to edit your etc/hosts file so that the domain name that the certificate is tied to points to the localhost IP address. For example, assuming the localhost IP address is 127.0.0.1, add the following lines to the etc/hosts file:
    #testing ssl
    127.0.0.1       ssl.mycompany.com
    # END ssl test
    Important: Be careful when editing the etc/hosts file. The hosts file is included on every computer and used by the operating system to map IP addresses to host names. You may adjust, change, or otherwise edit the hosts file for a variety of reasons, but it's vulnerable to user errors, which can lead to a variety of undesirable network problems such as inaccessible network locations, network failures, or web sites being blocked or otherwise inaccessible.
  2. Then check the [install-dir]/logs/wowzastreamingengine_access.log for the following statements indicating that it successfully bonded to port 443:
    SSL ([any]:443): keyStorePath:/Library/WowzaStreamingEngine/conf/ssl.mycompany.com.jks
    Bind successful ([any]:443)

Troubleshoot the certificate and configuration


For troubleshooting information about SSL certificates and the configuration of Wowza media servers to use SSL certificates, see How to troubleshoot SSL certificate configuration.
Originally Published: 08-17-2016.
 

If you're having problems or want to discuss this article, post in our forum.