• How to request an SSL certificate from a certificate authority

    This article describes how to get and install a Secure Sockets Layer (SSL) certificate from a certificate authority (such as verisign.com or thawte.com). This process requires the use of the command line tool keytool that comes with the Java JRE that installs with Wowza Streaming Engine™ media server software.

    Contents


    About SSL certificates
    Configure the Java JRE
    Create a keystore (.JKS) and certificate signing request (.CSR)
    Submit the .CSR to a certificate authority
    Import the certificate to the keystore
    Configure a <HostPort> to use the certificate
    Test the certificate and the Wowza Streaming Engine configuration
    Troubleshoot the SSL certificate and configuration

    About SSL certificates


    Certificates are used to hold public keys. This article provides instructions for X509 certificates that are commonly received from the certificate authority. X509 defines formats for public key certificates. RSA and DSA are two of the public key algorithms that can be used in X509 certificates. X509 certificates commonly have a .cer, .crt, .der, or .pem extension.

    Note: If you received an X509 certificate from the certificate authority but the following steps aren't working, you might have success with a .p12 certificate. PKCS 12 defines a container, typically a .p12 extension, which holds an X509 certificate and the corresponding private key. Optionally, the container can also hold the X509 certificates of the certificate authorities that signed the X509 client certificate(s). For more information, see How to import an existing SSL certificate and private key.

    Configure the Java JRE


    The command line tool keytool is included in the Java JRE that installs with Wowza Streaming Engine media server software. Be sure the bin folder of your JRE installation is added to your PATH environment variable. If the PATH variable is configured correctly, you should be able to open a command prompt and execute the keytool command. This should return the command reference for the keytool command. After you have the keytool command up and running, proceed to the following steps to create a certificate request.

    Create a keystore (.JKS) and certificate signing request (.CSR)


    To create a keystore (.jks), a private key (within the keystore), and a certificate signing request (.csr), do the following:

    1. Open a command prompt and change directory to [install-dir]/conf.

    2. Execute the following command to create a keystore (.JKS) and a private key (within the keystore):
      keytool -genkey -keysize 2048 -alias wowza -keyalg RSA -keystore ssl.mycompany.com.jks
      Note: For wildcard certificates, you must use quotation marks (") or a backwards slash (\) to escape the wildcar character in the commands. For example, the above command would be:

      keytool -genkey -keysize 2048 -alias wowza -keyalg RSA -keystore "*.ssl.mycompany.com.jks"
      You'll be prompted to answer several questions. The following sample responses assume that the domain name that you want this certificate to be tied to is ssl.mycompany.com:
      [Enter keystore password]
       password
      [What is your first and last name]
       ssl.mycompany.com
      [What is the name of your organizational unit]
       Web Department
      [What is the name of your organization]
       My Company Name
      [What is the name of your City or Locality]
       Evergreen
      [What is the name of your State or Province]
       Colorado
      [What is the two-letter country code for this unit]
       US
      [Enter key password for <password>]
       password
    3. Create a CSR by executing the following command:
      keytool -certreq -file ssl.mycompany.com.csr -alias wowza -keyalg RSA -keystore ssl.mycompany.com.jks

    Submit the .CSR to a certificate authori


    After you have the [install-dir]/conf/ssl.mycompany.com.csr file that contains the PEM-encoded certificate request, you can submit it to the certificate authority. (Review the documentation on the certificate authority website about how to do this.) In most cases, you'll use a text editor to open the ssl.mycompany.com.csr file and copy-and-paste the contents into a web form for submission to the certificate authority. In return, you'll get a certificate.

    Import the certificate to the keystore


    1. Open a command prompt and change directory to [install-dir]/conf.

    2. Execute the following command to determine the format of the certificate:
      openssl x509 -in ssl.mycompany.com-2016-07-13-111324.cer -text
      The output specifies the Public Key Algorithm, such as rsaEncryption, and the format, such as X509v3.

    3. Execute one of the following commands to import the signed certificate that you received the from the certificate authority:

      • For a chain certificate:
        keytool -import -alias root -trustcacerts -file [filename-of-chain-certificate] -keystore ssl.mycompany.com.jks
        Where [filename-of-chain-certificate] is the file name of the chain certificate.

      • For a new certificate:
        keytool -import -alias wowza -trustcacerts -file [filename-certificate] -keystore ssl.mycompany.com.jks
        Where [filename-certificate] is the file name of the certificate in X509 format.

    Configure a <HostPort> to use the certificate


    Open the [install-dir]/conf/VHost.xml file in a text editor and make the following changes:

    1. Uncomment the <HostPort> definition for port 443. This entry follows the comment <!-- 443 with SSL -->. Be sure to remove the comment before <HostPort> and after </HostPort>.

    2. Set the value SSLConfig/KeyStorePath to:
      ${com.wowza.wms.context.VHostConfigHome}/conf/ssl.mycompany.com.jks
    3. Set the SSLConfig/KeyStorePassword to the key store password entered above.

    4. Restart your Wowza Streaming Engine.

    Test the certificate and the Wowza Streaming Engine configuration


    To test that the SSL certificate is working properly and the Wowza Streaming Engine is configured to use the SSL certificate, do the following:

    1. Use an editor, such as vi, to edit your etc/hosts file so that the domain name that the certificate is tied to points to the localhost IP address. For example, assuming the localhost IP address is 127.0.0.1, add the following lines to the etc/hosts file:
      #testing ssl
      127.0.0.1       ssl.mycompany.com
      # END ssl test
      Important: Be careful when editing the etc/hosts file. The hosts file is included on every computer and used by the operating system to map IP addresses to host names. You may adjust, change, or otherwise edit the hosts file for a variety of reasons, but it's vulnerable to user errors, which can lead to a variety of undesirable network problems such as inaccessible network locations, network failures, or web sites being blocked or otherwise inaccessible.
    2. Then check the [install-dir]/logs/wowzastreamingengine_access.log for the following statements indicating that it successfully bonded to port 443:
      SSL ([any]:443): keyStorePath:/Library/WowzaStreamingEngine/conf/ssl.mycompany.com.jks
      Bind successful ([any]:443)

    Troubleshoot the SSL certificate and configuration


    For troubleshooting information about SSL certificates and the configuration of Wowza media servers to use SSL certificates, see How to troubleshoot SSL certificate configuration.
    Originally Published: 10-02-2010.
    Updated: 08-17-2016.

    If you're having problems or want to discuss this article, post in our forum.