To have access to resources by using HTTPS secure acceleration, you must configure an HTTPS certificate. This topic describes the certificate formats that are supported by ApsaraVideo Live. This topic also describes how to convert certificates in various formats.

Root CA certificates

Root certificate authority (CA) certificates are issued by root CAs, including Apache, Internet Information Services (IIS), NGINX, and Tomcat. Each root CA certificate is unique. ApsaraVideo Live uses root CA certificates that are issued by NGINX. The certificate information is contained in a .crt file and the private key information is contained in a .key file.

Upload your certificate in the following format:
  • The certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
  • All the lines except the last line must be 64 characters in length. The last line can be up to 64 characters in length.
The following figure shows a sample certificate in the Privacy-Enhanced Mail (PEM) format. The sample certificate is used in the Linux operating system. PEM

Intermediate CA certificates

A certificate file that is issued by an intermediate CA includes one server certificate and one intermediate certificate. You must manually concatenate the content of the server certificate and the intermediate certificate before you upload them.

Note Make sure that the content of the server certificate is followed by the content of the intermediate certificate. In most cases, the CA provides the concatenating description when the CA issues the certificates. Follow the description to concatenate the content of the certificates.

A chain of certificates that are issued by an intermediate CA is in the following format:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

The certificates in the chain must comply with the following rules:

  • Empty lines are not allowed between certificates.
  • Each certificate follows the format description when the certificate is uploaded.

Format rules of RSA private keys

A Rivest-Shamir-Adleman (RSA) private key must comply with the following rules:

  • The openssl genrsa -out privateKey.pem 2048 command must be run to generate the RSA private key. privateKey.pem is the private key file.
  • The private key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
  • All the lines except the last line must be 64 characters in length. The last line can be up to 64 characters in length.
RSA
If you do not generate the private key as instructed and the private key does not start with -----BEGIN PRIVATE KEY----- or end with -----END PRIVATE KEY-----, run the following command to convert the private key:
openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the new_server_key.pem file and the certificate.

Certificate format conversion

HTTPS configuration supports only certificates in the PEM format. If your certificates are not in the PEM format, you must convert them from other formats to the PEM format. We recommend that you use OpenSSL to convert certificate formats. This section describes how to convert certificates from other formats to the PEM format:

  • Conversion from the DER format to the PEM format
    The Distinguished Encoding Rules (DER) format is typically used for Java.
    • Certificate conversion:
      openssl x509 -inform der -in certificate.cer -out certificate.pem
    • Private key conversion:
      openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem
  • Conversion from the P7B format to the PEM format
    The P7B format is typically used for Windows Server and Tomcat.
    • Certificate conversion:
      openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

      You must open the outcertificat.cer file. Then, copy and paste the part that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- as the certificate content.

    • Private key conversion: A certificate in the P7B format does not include a private key. When you configure an HTTPS certificate in the ApsaraVideo Live console, you need to specify only the certificate information. You do not need to specify the private key information.
  • Conversion from the PFX format to the PEM format
    The PKCS #12 (PFX) format is typically used for Windows Server.
    • Certificate conversion:
      openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
    • Private key conversion:
      openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes