ApsaraVideo Live:Certificate formats

Root CA certificates

Root certificate authority (CA) certificates are issued by root CAs, including Apache, Internet Information Services (IIS), NGINX, and Tomcat. Each root CA certificate is unique. ApsaraVideo Live uses root CA certificates that are issued by NGINX. The certificate information is contained in a .crt file and the private key information is contained in a .key file.

The following figure shows a sample certificate in the Privacy-Enhanced Mail (PEM) format. The sample certificate is used in the Linux operating system.

Intermediate CA certificates

A certificate file that is issued by an intermediate CA includes one server certificate and one intermediate certificate. You must manually concatenate the content of the server certificate and the intermediate certificate before you upload them.

A chain of certificates that are issued by an intermediate CA is in the following format:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

The certificates in the chain must comply with the following rules:

• Empty lines are not allowed between certificates.
• Each certificate follows the format description when the certificate is uploaded.

Format rules of RSA private keys

A Rivest-Shamir-Adleman (RSA) private key must comply with the following rules:

• The openssl genrsa -out privateKey.pem 2048 command must be run to generate the RSA private key. privateKey.pem is the private key file.
• The private key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
• All the lines except the last line must be 64 characters in length. The last line can be up to 64 characters in length.

openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the new_server_key.pem file and the certificate.

Certificate format conversion

HTTPS configuration supports only certificates in the PEM format. If your certificates are not in the PEM format, you must convert them from other formats to the PEM format. We recommend that you use OpenSSL to convert certificate formats. This section describes how to convert certificates from other formats to the PEM format:

• Conversion from the DER format to the PEM format
  The Distinguished Encoding Rules (DER) format is typically used for Java.

  • Certificate conversion:

    openssl x509 -inform der -in certificate.cer -out certificate.pem

  • Private key conversion:

    openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem

• Conversion from the P7B format to the PEM format
  The P7B format is typically used for Windows Server and Tomcat.

  • Certificate conversion:

    openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

    You must open the outcertificat.cer file. Then, copy and paste the part that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- as the certificate content.

  • Private key conversion: A certificate in the P7B format does not include a private key. When you configure an HTTPS certificate in the ApsaraVideo Live console, you need to specify only the certificate information. You do not need to specify the private key information.
• Conversion from the PFX format to the PEM format
  The PKCS #12 (PFX) format is typically used for Windows Server.

  • Certificate conversion:

    openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

  • Private key conversion:

    openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes