Request an SSL certificate for Wowza Streaming Engine from a certificate authority

This article describes how to acquire and install a Secure Sockets Layer (SSL) certificate from a certificate authority such as verisign.com or thawte.com. This process requires the use of the command line tool keytool that comes with the Java JRE that installs with Wowza Streaming Engine™ media server software.

About SSL certificates


Certificates hold public keys. This article provides instructions for X509 certificates that are commonly received from a certificate authority. X509 defines formats for public key certificates. RSA and DSA are two of the public key algorithms that can be used in X509 certificates. X509 certificates commonly have a .cer, .crt, .der, or .pem extension.

Note: If you received an X509 certificate from the certificate authority but the following steps aren't working, you might have success with a .p12 certificate. PKCS 12 defines a container, typically a .p12 extension, which holds an X509 certificate and the corresponding private key. Optionally, the container can also hold the X509 certificates of the certificate authorities that signed the X509 client certificate(s). For more information, see Import an existing SSL certificate and private key for Wowza Streaming Engine.

Configure the Java JRE


The command line tool keytool is included in the Java JRE that installs with Wowza Streaming Engine. Be sure the bin folder of your JRE installation is added to your PATH environment variable. If the PATH variable is configured correctly, you should be able to open a command prompt and execute the keytool command. This should return the command reference for the keytool command. After you have the keytool command up and running, proceed to the following steps to create a certificate request.

Create a keystore and certificate signing request


To create a keystore (.jks), a private key in the keystore, and a certificate signing request (.csr), do the following:
 
  1. Open a command prompt and change directory to [install-dir]/conf.
     
  2. Execute the following command to create a keystore (.JKS) and a private key in the keystore:
    keytool -genkey -keysize 2048 -alias wowzaprivatekey -keyalg RSA -keystore ssl.mycompany.com.jks
    Notes:
    • The examples in this article assume the domain name associated with the certificate is ssl.mycompany.com. You can replace ssl.mycompany.com with the name of your certificate.
       
    • If you're using a wildcard certificate on Linux or OS X, we recommend using a wildcard character in the name of the certificate for clarity. When you're using a wildcard character, you must use quotation marks (") or a backwards slash (\) to escape the wildcard character in the commands. For example, the above command would be:

      keytool -genkey -keysize 2048 -alias wowzaprivatekey -keyalg RSA -keystore "*.ssl.mycompany.com.jks"
       
    • On Windows, wildcard characters, such as the asterisk (*), aren't supported in certificate names.
    You'll be prompted to answer several questions. The following sample responses assume that the domain name that you want this certificate to be tied to is ssl.mycompany.com. The password entered for the certificate should also be used for the keystore and CSR file.
     
    [Enter keystore password]
     password
    [What is your first and last name]
     ssl.mycompany.com
    [What is the name of your organizational unit]
     Web Department
    [What is the name of your organization]
     My Company Name
    [What is the name of your City or Locality]
     Evergreen
    [What is the name of your State or Province]
     Colorado
    [What is the two-letter country code for this unit]
     US
    [Enter key password for <password>]
     password
  3. Create a CSR by executing the following command:
    keytool -certreq -file ssl.mycompany.com.csr -alias wowzaprivatekey -keyalg RSA -keystore ssl.mycompany.com.jks

Submit the certificate signing requet to a certificate authority


After you have the [install-dir]/conf/ssl.mycompany.com.csr file that contains the PEM-encoded certificate request, you can submit it to the certificate authority. (Review the documentation on the certificate authority website about how to do this.) In most cases, you'll use a text editor to open the ssl.mycompany.com.csr file and copy-and-paste the contents into a web form for submission to the certificate authority. In return, you'll get a certificate.

Import the certificate to the keystore


  1. Open a command prompt and change directory to [install-dir]/conf.
     
  2. Execute the following command to determine the format of the certificate:
    openssl x509 -in ssl.mycompany.com-2016-07-13-111324.cer -text
    The output specifies the Public Key Algorithm, such as rsaEncryption, and the format, such as X509v3.
     
  3. Execute one of the following commands to import the signed certificate that you received the from the certificate authority:
     
    • For a chain certificate:
      keytool -import -alias [user-friendly-name] -trustcacerts -file [filename-of-chain-certificate] -keystore ssl.mycompany.com.jks
      Where [user-friendly-name] is the user-friendly name for the certificate; we recommend using a name that describes the type of chain certificate, such as root, intermediate, or bundle. [filename-of-chain-certificate] is the file name of the chain certificate.
       
    • For a new certificate:
      keytool -import -alias wowzaprivatekey -trustcacerts -file [filename-certificate] -keystore ssl.mycompany.com.jks
      Where [filename-certificate] is the file name of the certificate in X509 format.

Configure a host port to use the certificate


Open the [install-dir]/conf/VHost.xml file in a text editor and make the following changes:
 
  1. Uncomment the <HostPort> definition for port 443. This entry follows the comment <!-- 443 with SSL -->. Be sure to remove the comment before <HostPort> and after </HostPort>.
     
  2. Set the value SSLConfig/KeyStorePath to:
    ${com.wowza.wms.context.VHostConfigHome}/conf/ssl.mycompany.com.jks
  3. Set the SSLConfig/KeyStorePassword to the key store password entered above.
     
  4. Restart Wowza Streaming Engine.

Test the certificate and the Wowza Streaming Engine configuration


To test that the SSL certificate is working properly and the Wowza Streaming Engine is configured to use the SSL certificate, do the following:
 
  1. Use an editor such as vi to edit your etc/hosts file so that the domain name that the certificate is tied to points to the localhost IP address. For example, assuming the localhost IP address is 127.0.0.1, add the following lines to the etc/hosts file:
    #testing ssl
    127.0.0.1       ssl.mycompany.com
    # END ssl test
    Important: Be careful when editing the etc/hosts file. It is included on every computer and used by the operating system to map IP addresses to host names. Mistakes made when editing the hosts file can lead to a variety of problems, such as inaccessible network locations, network failures, or blocked websites.
  2. Then check the [install-dir]/logs/wowzastreamingengine_access.log for the following statements indicating that it successfully bonded to port 443:
    SSL ([any]:443): keyStorePath:/Library/WowzaStreamingEngine/conf/ssl.mycompany.com.jks
    Bind successful ([any]:443)

More resources