HTTPS ensures data transmission security through the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocol. ApsaraVideo Live supports configuring HTTPS and managing SSL certificates to improve the security and reliability of live streaming.
What is HTTPS?
HTTPS is an extension of HTTP for secure communication over networks. In HTTPS, the communication is encrypted using the TLS or SSL protocol. After you configure an SSL certificate for a domain name, HTTP and HTTPS access are supported. If the certificate does not match the domain name or is disabled, only HTTP access is supported.
Benefits
HTTPS encrypts sensitive information such as session IDs and cookies during transmission. This prevents security threats caused by sensitive information leakage.
HTTPS checks data integrity during transmission to protect the data against man-in-the-middle (MITM) attacks, such as DNS hijacking and tampering.
Before you begin
Notes on configuration
After you disable HTTPS for a domain name, only HTTP access is supported. The certificate and private key are no longer available. To re-enable HTTPS, upload a certificate and private key again.
You can view basic information about a certificate. However, the private key is not displayed due to its sensitive nature.
You can change or edit a certificate. It takes 5 minutes for an updated certificate to take effect.
The uploaded certificate must match the private key. Otherwise, the verification will fail.
Notes on certificates
ApsaraVideo Live supports certificates purchased through Certificate Management Service and custom certificates.
ApsaraVideo Live uses the NGINX-based Tengine web server, so it only supports PEM certificates that can be read by NGINX. Your certificate content and private key must be in PEM format.
ApsaraVideo Live only supports SSL/TLS handshakes that include Server Name Indication (SNI) information.
The system does not support private keys for which passwords are configured.
Configure HTTPS
Step 1: Purchase a certificate
To enable HTTPS, you need a certificate that matches your accelerated domain name. If you do not have one, go to the Certificate Management Service page and click Purchase SSL Certificates. If you already have one, skip this step.
Step 2: Enable HTTPS for a domain name
Enable HTTPS.
Log on to the ApsaraVideo Live console.
In the left-side navigation pane, click Domain Names to go to the Domain Management page.
Select the ingest domain for which you want to configure HTTPS, and click Domain Settings in the Actions column.
Choose Streaming Management > HTTPS Settings and turn on the HTTPS Certificate switch.
Upload a certificate.
Certificate issued by Alibaba Cloud:
In the HTTPS Settings dialog box, select Certificate Management Service as the certificate type. Then, select a certificate in Certificate Name. The content and private key are automatically filled.
Custom certificates:
In the HTTPS Settings dialog box, select Custom as the certificate type. Then, enter a certificate name and upload the content and private key. This certificate will be stored in the Certificate Management Service console.
Step 3: Verify certificate effectiveness
After you complete the settings, it takes about one minute for the certificate to take effect. Then, access resources using HTTPS. If a lock icon appears in the address bar of the browser, the certificate has taken effect.
Certificate format
This section describes the certificate format supported by ApsaraVideo Live and how to convert formats.
Server certificates
A server certificate is a public key certificate issued by a Certificate Authority (CA) for your domain. ApsaraVideo Live uses NGINX-based servers, which require certificates to be in PEM format. The certificate itself is often in a .pem or .crt file, and the corresponding private key is in a .key file.
Upload your certificate in the following format:
The certificate must start with
-----BEGIN CERTIFICATE-----and end with-----END CERTIFICATE-----.All lines except the last one must be 64 characters in length. The last line can be up to 64 characters in length.
The following figure shows a sample certificate in the PEM format used in the Linux operating system:
Intermediate CA certificates
If your certificate was issued by an intermediate CA, you must provide the full certificate chain to ensure trust across all clients. This typically involves concatenating your server certificate and the CA's intermediate certificate(s) into a single file.
Concatenation rules:
The order of concatenation is critical. Start with your server certificate, followed by the intermediate certificate that signed it, then the next intermediate certificate in the chain.
Typically, issuing authorities provide instructions on concatenation. Refer to these guidelines before proceeding.
Certificate chain formats:
Empty lines are not allowed between certificates.
Each certificate within the chain must be in the standard PEM format, including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" headers.
The following provides an example of a chain of certificates issued by an intermediate CA:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
RSA private keys
A Rivest-Shamir-Adleman (RSA) private key must comply with the following rules:
Run the
openssl genrsa -out privateKey.pem 2048command to generate the RSA private key.privateKey.pemis the private key file.The private key must start with
-----BEGIN RSA PRIVATE KEY-----and end with-----END RSA PRIVATE KEY-----. Upload the key together with these lines.All lines except the last one must be 64 characters in length. The last line can be up to 64 characters in length.
Sample private key:
If your private key does not match the above format and starts with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----, convert it using the following command:
openssl rsa -in old_server_key.pem -out new_server_key.pemThen, upload the new_server_key.pem file and the certificate.
Certificate format conversion
ApsaraVideo Live only supports SSL certificates in the PEM format. If your certificates are not in PEM format, convert them using OpenSSL.
From DER to PEM format
The DER format is typically used for Java.
Run the following command to convert the certificate:
openssl x509 -inform der -in certificate.cer -out certificate.pemRun the following command to convert the private key:
openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem
From P7B to PEM format
The P7B format is typically used for Windows Server and Tomcat.
Run the following command to convert the certificate:
openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cerOpen the
outcertificat.cerfile. Then, copy and paste the part that starts with-----BEGIN CERTIFICATE-----and ends with-----END CERTIFICATE-----as the certificate content.P7B certificates do not include private key files. You do not need to specify the private key information in the ApsaraVideo Live console.
From PFX to PEM format
The PFX format is typically used for Windows Server.
Run the following command to convert the certificate:
openssl pkcs12 -in certname.pfx -nokeys -out cert.pemRun the following command to convert the private key:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes