Manage StreamLock SSL/TLS certificates

Manage your Wowza StreamLock™ SSL/TLS certificates and troubleshoot their configuration in Wowza Streaming Engine™ media server software.

Managing your StreamLock certificates


Log in with your Wowza account credentials

If you already have a Wowza account, in a web browser, log in to the account and go to the StreamLock tab. Enter your account information (email address and password) that you used when you created your StreamLock account.

Note: Be sure to click Yes for the option that asks if you already have an account.

Log in with your Subscription account credentials

If you already have a Wowza Streaming Engine Subscription license, you can use the same account credentials that you use to log in and manage your Subscription account on the Account Management page.

On the StreamLock tab, enter the email address and password associated with your Subscription account. If you don't know this information, contact  Customer Service.

Notes:
  • Be sure to click Yes for the option that asks if you have an account.
     
  • If you have a StreamLock account and a Subscription license for Wowza Streaming Engine, you must log in using your Subscription account credentials.

Change the StreamLock certificate password

You must use the unique password that you create for an installed certificate as the SSLConfig/KeyStorePassword property value when you configure a host port to use the certificate. If you forget the password value, you can change it in the Certificate Management webpage. After you do this, you must download a new certificate associated with the new password, install the new certificate (see Install your StreamLock certificate), and then reconfigure the host port to use it (see Configure a host port to use the StreamLock certificate).

To change the certificate password, do the following:

  1. Log in to your StreamLock account using your StreamLock account credentials or your Subscription account credentials. If you have both accounts, you must log in using your Subscription account credentials.
     
  2. In the My SSL certificates table, under Certificate Information, click Change certificate password for the certificate.
     
  3. Enter a new unique password for the certificate in both boxes. You must enter the same password in both boxes.
     
  4. Click OK. Updates are effective immediately.

Change the server IP address

To change the IP address of the Wowza Streaming Engine instance that's associated with your StreamLock certificate, do the following:

  1. Log in to your StreamLock account.
     
  2. In the My SSL certificates table, under IP Address, click Change next to the IP address that you want to change.
     
  3. Enter the new IP address, and then click OK. Updates should be effective immediately, but if the previous IP address was cached by a DNS server you may have to wait for the cache to age out.

Renew an expiring StreamLock certificate

StreamLock certificates are valid for 365 days and are eligible for renewal within 28 days of expiring. To renew an existing certificate, do the following:

  1. Log in to your StreamLock account.
  2. On the StreamLock tab, scroll down to the My SSL Certificates section.
  3. Find the appropriate hostname entry, and click Renew. If no option to renew is visible, your certificate does not require renewal yet.

Note: We highly recommend that you install the new certificate on the applicable server immediately to avoid interruption of streaming from that server when the old certificate expires.

Troubleshooting StreamLock-provisioned SSL certificates


SSL connections

Use the following OpenSSL commands to test your Wowza Streaming Engine server's SSL connection, where [client-id] is the full DNS name:

To test the SSL connection to the server:

openssl s_client -connect [client-id].streamlock.net:443

To test the SSL connection and display the certificates:

openssl s_client -showcerts -connect [client-id].streamlock.net:443

Hostname substitution

When you configure player applications to establish a secure connection to Wowza Streaming Engine, and you substitute the hostname for your domain in place of the StreamLock hostname that's associated with the SSL certificate in the call to NetConnection.connect([url]), clients that connect to your secure stream may receive the following security alert:
 
The certificate you are viewing does not match the name of the site you are trying to view.

StreamLock SSL certificates are bound to the StreamLock.net domain; therefore, you must use the StreamLock hostname that's associated with the SSL certificate in the call to NetConnection.connect([url]). For more information about how to do this, see Configuring secure RTMP (RTMPS) streaming playback.

If you must use your own domain name in [hostname], then you must create your own SSL certificate. For more information about how to do this, see Create a self-signed SSL certificate for Wowza Streaming Engine.

Unable to connect to streamlock.net

If one or more clients report that they can't connect using a StreamLock certificate configuration, while the majority of clients don't have this problem, this is more than likely a problem with the DNS server on the client side.

For a StreamLock certificate to function properly, the client must be able to access the streamlock.net domain. In some cases, the DNS configuration associated with the client doesn't provide a record for streamlock.net, which prevents a successful connection. You can confirm this by issuing a nslookup command from the client computer using a command line:

nslookup [client-id].streamlock.net

If the nslookup command doesn't return a response that includes the Wowza Streaming Engine server's IP address, this is evidence of a DNS problem.
 
Note: Depending on your firewall settings, you might also be able to test this by issuing a ping command from the client computer by entering the command ping streamlock.net on the command line. If the ping command doesn't return a response, this is evidence of a DNS problem.
Wowza makes every effort to ensure that streamlock.net records are available to all public DNS servers. Unfortunately, Wowza has no control over DNS propagation in the public domain, especially when it comes to privately managed DNS servers. As a test and workaround, we suggest using an alternative DNS configuration if a client can't connect.