Configure HTTPS secure acceleration

HTTPS secures data transmission using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. ApsaraVideo Live provides an HTTPS secure acceleration solution with flexible certificate management to ensure the security and reliability of your live streaming service.

Feature introduction

Hypertext Transfer Protocol Secure (HTTPS) is a secure HTTP channel that uses the SSL or TLS protocol for encapsulation. ApsaraVideo Live provides an HTTPS secure acceleration solution that lets you view, disable, enable, and edit certificates. If a certificate is correctly configured and enabled, access is supported over both HTTP and HTTPS. If the certificate is invalid or disabled, only HTTP access is supported.

Benefits of HTTPS acceleration

It encrypts key user information during transmission. This prevents security risks, such as leaks of sensitive information caused by attackers capturing session IDs or cookies.
It verifies data integrity during transmission. This prevents man-in-the-middle (MITM) attacks, such as DNS hijacking, content hijacking, or content tampering.

Precautions

Configuration

Feature	Description
Disabled and Enabled the HTTPS feature	After you click Disabled, HTTPS requests are not supported, and the certificate or private key information is no longer retained. After you Enabled the feature, you must re-upload the certificate or private key to use the certificate again.
View a certificate	You can view certificate information. However, you cannot view the private key because it is sensitive information. Keep your certificate information secure.
Modify or edit a certificate	You can modify or edit a certificate. Note that the change takes 5 minutes to take effect. Proceed with caution.

Certificates

ApsaraVideo Live supports two types of certificate deployment: certificates from Alibaba Cloud Security and custom certificates.
For an accelerated domain name with the Enable HTTPS feature enabled, you must upload a certificate and its private key in PEM format.

Note

The ApsaraVideo Live service uses Tengine, which is based on Nginx. Because of this, ApsaraVideo Live supports only certificates in PEM format that can be read by Nginx.

Only SSL or TLS handshakes that include Server Name Indication (SNI) information are supported.
The certificate and private key that you upload must match. Otherwise, a validation error occurs.
An updated certificate takes about 5 minutes to take effect.
Password-protected private keys are not supported.

Step 1: Purchase a certificate

To enable Enable HTTPS, you need a certificate that matches your accelerated domain name. You can go to the Certificate Service page and click Buy Now. If you want to use a custom certificate, you can skip this step.

Step 2: Configure a live streaming domain name

Enable HTTPS secure acceleration.
1. Log on to the ApsaraVideo Live console.
2. In the navigation pane on the left, click Domain Names to go to the Domain Management page.
3. Select the ingest domain for which you want to configure HTTPS secure acceleration, and click Domain Settings.
4. Click HTTPS, and turn on the HTTPS Certificate switch.
Select a certificate.
- Certificate issued by Alibaba Cloud: For Certificate Type, select Alibaba Cloud Security and choose a certificate that you purchased from Alibaba Cloud Certificate Service. You can directly select the certificate that matches the accelerated domain name.
- Custom certificate: For the Certificate Type option, select Others. Then, enter a certificate name, and upload the certificate content and the private key. The certificate is saved to the Alibaba Cloud Security Certificate Console, where you can view it in the My Certificates section.
  Note
  Only certificates in PEM format are supported.

Step 3: Verify that the certificate is effective

After you complete the settings, it takes about one minute for the certificate to take effect across the network. To verify the configuration, access a resource over HTTPS. If a lock icon appears in the browser's address bar, HTTPS secure acceleration is enabled.

Certificate format description

This section describes the certificate formats that ApsaraVideo Live supports and how to convert certificates to the required format.

Certificates issued by a root CA

Certificates issued by a root certificate authority (CA) can be used for various types of server software, such as Apache, IIS, Nginx, and Tomcat. ApsaraVideo Live uses Nginx servers to process certificates. The certificate file usually has a .crt extension, and the private key file usually has a .key extension.

When you upload a certificate, follow these formatting rules:

Include the header -----BEGIN CERTIFICATE----- and the footer -----END CERTIFICATE-----.
Each line must contain 64 characters. The last line can contain fewer than 64 characters.

The following figure shows an example of a certificate in PEM format in a Linux environment.

Certificates issued by an intermediate authority

If your certificate is issued by an intermediate authority, the certificate file contains multiple certificates. You must combine the server certificate and the intermediate certificate into a single file before you upload it.

Note

Concatenation rule: The server certificate must be placed before the intermediate certificate. The issuing authority typically provides instructions with the certificate. Make sure to follow the provided rules.

Certificate chain issued by an intermediate authority:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Certificate chain rules:

Do not include empty lines between certificates.
Each certificate must comply with the formatting requirements.

RSA private key format requirements

Follow these rules for RSA private keys:

To generate a private key locally, run the following command: openssl genrsa -out privateKey.pem 2048. In this command, privateKey.pem is your private key file.
The key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----. Include these header and footer lines when you upload the key.
Each line must contain 64 characters. The last line can contain fewer than 64 characters.

If you did not generate your private key using the method described above, and it is in a format that includes -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----, you can convert it as follows:

openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the content of new_server_key.pem together with the certificate.

Methods to convert certificate formats

HTTPS secure acceleration supports only certificates in PEM format. If your certificate is in a different format, you must convert it to PEM. You can use the OpenSSL tool to perform the conversion. The following table describes how to convert certificates from several common formats to the PEM format.

Conversion method	Description
Convert DER to PEM	The DER format is common on the Java platform. Certificate conversion: `openssl x509 -inform der -in certificate.cer -out certificate.pem` Private key conversion: `openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem`
Convert P7B to PEM	The P7B format is common on Windows Server and Tomcat. Certificate conversion: `openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer` Get the content between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` from `outcertificat.cer` and upload it as the certificate. Private key conversion: P7B certificates do not have a private key. You only need to enter the certificate content in the console. You do not need to enter a private key.
Convert PFX to PEM	The PFX format is common on Windows Server. Certificate conversion: `openssl pkcs12 -in certname.pfx -nokeys -out cert.pem` Private key conversion: `openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes`