Manage StreamLock SSL/TLS certificates

Manage your Wowza StreamLock™ SSL/TLS certificates and troubleshoot their configuration in Wowza Streaming Engine™ media server software.

Manage your StreamLock certificates


Log in with your Wowza account credentials

Log in to the Wowza account associated with your StreamLock certificates from the Account Management page and go to the StreamLock tab. Then, see the following sections for ways you can manage your StreamLock certificates.

Change the StreamLock certificate password

Every time you download your certificate, you will be prompted to create a password to encrypt the certificate. The password you create here will need to be entered when configuring a host port to use the StreamLock certificate. The password is saved in [install-dir]/conf/VHost.xml as the SSLConfig/KeyStorePassword property value.

To change the certificate password, do the following:

  1. In the My SSL certificates table, under Certificate Information, click Download certificate for the certificate.
     
  2. Enter a new unique password for the certificate in both boxes. You must enter the same password in both boxes.
     
  3. Click OK. Your new certificate will then download.

If you previously installed the certificate with a Wowza Streaming Engine instance, it will continue to work after changing the password. If you install the updated certificate with a Wowza Streaming Engine instance, you will need to enter the new password for Keystore Passowrd. See Configuring Wowza Streaming Engine to use your StreamLock certificate.

Change the server IP address

To change the IP address of the Wowza Streaming Engine instance that's associated with your StreamLock certificate, do the following:

  1. In the My SSL certificates table, under IP Address, click Change next to the IP address that you want to change.
     
  2. Enter the new IP address, and then click OK. Updates should be effective immediately, but if the previous IP address was cached by a DNS server you may have to wait for the cache to age out.
  3. Click Download certificate under Certificate Information.

If you previously installed the certificate with a Wowza Streaming Engine instance, it will continue to work after changing the IP address.

Renew an expiring StreamLock certificate

StreamLock certificates are valid for 365 days, unless they are associated with a Trial license, in which case they are valid for 30 days. StreamLock certificates are eligible for renewal within 28 days of expiring, unless they are associated with a Developer Trial or Trial license. Check a certificate's expiration date in the My SSL Certificates table under Certificate Information. If a certificate is within 28 days of expiring, the expiration date should appear in red text, and a Renew link appears. To renew an existing certificate, do the following:

  1. In the My SSL certificates table, locate the certificate to renew.
  2. Under Certificate Information, click Renew. It may take up to an hour for your certificate to be updated. If no option to renew is visible, your certificate does not require renewal yet.
  3. Click Download certificate under Certificate Information.
  4. Install the updated certificate and then reconfigure the host port to use it. See Configuring Wowza Streaming Engine to use your StreamLock certificate.
Important: When you renew a certificate, you need to download, install, and configure the updated certificate. We highly recommend you install the updated certificate on the applicable Wowza Streaming Engine instance immediately to avoid interruption of streaming from that server to your end users.
Note: If you need to replace a certificate, for example if it becomes corrupted, contact Support.

Troubleshoot StreamLock certificates


SSL/TLS connections

Use one of the following OpenSSL commands to quickly test your Wowza Streaming Engine server's StreamLock certificate configuration and SSL/TLS connection, where [ssl-certificate-domain-name] is the certificate hostname:

To test the SSL/TLS connection to the server:

openssl s_client -connect [ssl-certificate-domain-name]:443

To test the SSL/TLS connection and display the certificates:

openssl s_client -showcerts -connect [ssl-certificate-domain-name]:443

You should get a response that begins with CONNECTED and references the certificate. If you do, you have correctly configured your StreamLock certificate and SSL/TLS connection with Wowza Streaming Engine for secure playback over HTTPS or RTMPS.

Hostname substitution

When you configure player applications to establish a secure connection to Wowza Streaming Engine, and you substitute the hostname for your domain in place of the StreamLock hostname that's associated with the StreamLock certificate in the call to NetConnection.connect([url]), clients that connect to your secure stream may receive the following security alert:

The certificate you are viewing does not match the name of the site you are trying to view.

StreamLock certificates are bound to the StreamLock.net domain; therefore, you must use the StreamLock hostname that's associated with the StreamLock certificate in the call to NetConnection.connect([url]). For more information about how to do this, see Configure Flowplayer for secure RTMP playback.

If you must use your own domain name in [ssl-certificate-domain-name], then you must create your own SSL/TLS certificate. For more information about how to do this, see Create a self-signed SSL certificate for Wowza Streaming Engine.

Unable to connect to streamlock.net

If one or more clients report that they can't connect using a StreamLock certificate configuration, while the majority of clients don't have this problem, this is more than likely a problem with the DNS server on the client side.

For a StreamLock certificate to function properly, the client must be able to access the streamlock.net domain. In some cases, the DNS configuration associated with the client doesn't provide a record for streamlock.net, which prevents a successful connection. You can confirm this by issuing a nslookup command from the client computer using a command line:

nslookup [ssl-certificate-domain-name]

If the nslookup command doesn't return a response that includes the Wowza Streaming Engine server's IP address, this is evidence of a DNS problem.
 
Note: Depending on your firewall settings, you might also be able to test this by issuing a ping command from the client computer by entering the command ping streamlock.net on the command line. If the ping command doesn't return a response, this is evidence of a DNS problem.
Wowza makes every effort to ensure that streamlock.net records are available to all public DNS servers. Unfortunately, Wowza has no control over DNS propagation in the public domain, especially when it comes to privately managed DNS servers. As a test and workaround, we suggest using an alternative DNS configuration if a client can't connect.