This article describes how to use an existing Secure Sockets Layer (SSL) certificate with Wowza Streaming Engine™ media server software.
To use an existing SSL certificate you must configure the Wowza Streaming Engine JRE to use the keytool utility, you must have a signed SSL certificate, and you must have an SSL toolkit on the computer you're using to run Wowza Streaming Engine.
Configure the Java JRE to use keytool
The Java keytool utility installs with your Wowza Streaming Engine JRE. It's located at [install-dir]/java/bin. In order to use it, add the bin folder to your PATH environment variable. In a Command Prompt or Terminal window type:
To test that keytool is configured properly, enter keytool at a command prompt. The command should return the command reference for the tool.
Get an SSL certificateIf you don't have an SSL certificate, see any of the following articles for instructions on generating one:
- Request an SSL certificate for Wowza Streaming Engine from a certificate authority
- Get SSL certificates from the Wowza Streaming Engine StreamLock service
- Create a self-signed SSL certificate for Wowza Streaming Engine
Get an SSL/TLS tooklit
You'll also need a These instructions require the OpenSSL toolkit.
Convert the certificate and private key to PKCS 12
You can't directly import private key information to a keystore (.JKS) using keytool. Instead, you must convert the certificate and private key into a PKCS 12 (.p12) file, and then you can import the PKCS 12 file into your keystore.
- In a Command Prompt or Terminal window, change to the directory [install-dir]/conf.
- Execute the following command:
openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]
Import the certificate to the keystore
Now, import the PKCS 12 certificate and the CA bundle file the keystore.
- Import the PKCS 12 certificate by executing the following command:
keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12
Where the [password] is the password you specified when you created the private key.
- Import the CA bundle file by executing the following command:
keytool -import -alias bundle -trustcacerts -file [ca_bundle] -keystore [filename-new-keystore.jks]
Configure a host port to use the certificate
Now, configure Wowza Streaming Engine to use the certificate.
- Navigate to [install-dir]/conf/ and open VHost.xml file in a text editor.
- Uncomment the <HostPort> definition for port 443, which follows the comment <!-- 443 with SSL --> in the file.
Be sure to remove the comment before <HostPort> and after </HostPort>.
- Set the <SSLConfig>/<KeyStorePath> to:
- Set the SSLConfig/KeyStorePassword to the keystore password entered above.
- Restart Wowza Streaming Engine.
Test the certificate in Wowza Streaming Engine
Finally, test that the SSL certificate is working properly with Wowza Streaming Engine by mapping the IP address of your local Wowza Streaming Engine server to the domain of the certificate. This requires editing the hosts file on the computer running Wowza Streaming Engine.
In most versions of Windows, the hosts file is located in c:\Windows\System32\Drivers\etc and you can edit it using Notepad, as long as you run as an administrator.
On OS X, use Terminal to open the hosts file:
sudo nan /private/etc/hosts
Important: Be careful when editing the hosts file. Mistakes can lead to a variety of problems, such as inaccessible network locations, network failures, or blocked websites.
- Edit the hosts file so that the domain name for the certificate points to the localhost IP address. For example, assuming the localhost IP address is 127.0.0.1, add the following lines to the file:
#testing ssl 127.0.0.1 ssl.mycompany.com # END ssl test
- Check the [install-dir]/logs/wowzastreamingengine_access.log for the following statements, which indicate that it successfully bonded to port 443:
SSL ([any]:443): keyStorePath:/Library/WowzaStreamingEngine/conf/ssl.mycompany.com.jks Bind successful ([any]:443)
- After completing the test, remove the testing code from hosts.