HTTPS ensures data transmission security through SSL or TLS protocols. Alibaba Cloud ApsaraVideo Live provides HTTPS secure acceleration solutions with flexible certificate management to ensure the security and reliability of live streaming services.
Function introduction
Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) is an HTTP channel with security as its goal, encapsulated through SSL or TLS protocols. Alibaba Cloud ApsaraVideo Live provides HTTPS secure acceleration solutions and supports viewing, disabling, enabling, and editing certificates. After you correctly configure and enable the certificate, both HTTP and HTTPS access are supported. If the certificate does not match the domain name or you disable the certificate, only HTTP access is supported.
HTTPS acceleration advantages
HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This prevents security threats caused by sensitive information leakage.
HTTPS checks data integrity during transmission to protect the data against man-in-the-middle attack (MITM) attacks, such as DNS hijacking and tampering.
Notes
Configuration related
Feature | Description |
Disable and Enable HTTPS feature |
|
View a certificate | You can view a certificate. However, you cannot view a private key because it is sensitive. Keep your certificate information safe. |
Change or edit a certificate | You can change or edit a certificate. It requires 5 minutes for an updated certificate to take effect. Exercise caution when you perform this operation. |
Certificate related
ApsaraVideo Live supports certificates purchased through Certificate Management Service and custom certificates.
For accelerated domains with HTTPS Secure Acceleration enabled, you must upload a certificate, including the certificate or private key, both in PEM format.
ApsaraVideo Live uses the NGINX-based Tengine web server. Therefore, ApsaraVideo Live supports only PEM certificates that can be read by NGINX.
ApsaraVideo Live supports only SSL/TLS handshakes that include Server Name Indication (SNI) information.
The uploaded certificate must match the private key. Otherwise, the certificate and private key fail the verification.
It requires 5 minutes for an updated certificate to take effect.
The system does not support private keys for which passwords are configured.
Configure HTTPS secure acceleration
Step 1: Purchase a certificate
To enable HTTPS Secure Acceleration, you need a certificate that matches your accelerated domain name. You can click Buy Now in Certificate Service to purchase a certificate. If you want to use a custom certificate, skip this step.
Step 2: Configure a live domain name
Enable HTTPS secure acceleration.
Log on to the ApsaraVideo Live console.
In the left navigation bar, click Ingest/Streaming Domain Names to go to the Domain Management page.
Select the ingest domain name for which you want to configure HTTPS secure acceleration, and click Domain Name Configuration.
Click HTTPS, and turn on the HTTPS Certificate switch.
Upload a certificate.
Alibaba Cloud Certificate Service: In the certificate type options, click Alibaba Cloud Certificate Service, and select a certificate that you purchased from Certificate Service. You can select a certificate that matches your accelerated domain name by certificate name.
Custom certificate: In the certificate type options, click Custom, enter a certificate name, and upload the certificate content and private key. The certificate will be saved in the Certificate Service console, and you can view it in the My Certificates section.
NoteOnly certificates in the PEM format are supported.
Step 3: Verify that the certificate takes effect
After you complete the settings, the certificate takes effect across the entire network in 1 minute. Access resources by using HTTPS. If a lock icon appears in the browser, HTTPS secure acceleration takes effect.
Certificate format description
This section describes the certificate formats supported by ApsaraVideo Live and how to convert certificates from different formats.
Root CA certificates
Each certificate issued by a root CA is unique and can be used for various server software, including Apache, IIS, Nginx, and Tomcat. ApsaraVideo Live typically uses Nginx servers to process certificates. Certificate files usually have the .crt extension, and private key files usually have the .key extension.
Upload your certificate in the following format:
When you upload a certificate, make sure to include the beginning
-----BEGIN CERTIFICATE-----and ending-----END CERTIFICATE-----.All lines except the last line must be 64 characters in length. The last line can be up to 64 characters in length.
The following figure shows an example of a PEM certificate in a Linux environment.
Intermediate CA certificates
A certificate file that is issued by an intermediate CA includes one server certificate and one intermediate certificate. You must manually concatenate the content of the server certificate and the intermediate certificate before you upload them.
Make sure that the content of the server certificate is followed by the content of the intermediate certificate. In most cases, the CA provides the concatenating description when the CA issues the certificates. Follow the description to concatenate the content of the certificates.
A chain of certificates that are issued by an intermediate CA is in the following format:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
The certificates in the chain must comply with the following rules:
Empty lines are not allowed between certificates.
Each certificate follows the format description when the certificate is uploaded.
RSA private key formats
A Rivest-Shamir-Adleman (RSA) private key must comply with the following rules:
Generate a private key on your local computer:
openssl genrsa -out privateKey.pem 2048.privateKey.pemis your private key file.The private key must start with
-----BEGIN RSA PRIVATE KEY-----and end with-----END RSA PRIVATE KEY-----. Upload the content together with these lines.All lines except the last line must be 64 characters in length. The last line can be up to 64 characters in length.
If you did not generate a private key as described above and obtained a private key that starts with -----BEGIN PRIVATE KEY----- or ends with -----END PRIVATE KEY-----, you can convert it using the following method:
openssl rsa -in old_server_key.pem -out new_server_key.pemThen upload the content of new_server_key.pem together with the certificate.
Certificate format conversion
HTTPS configuration supports only certificates in the PEM format. If your certificates are not in the PEM format, you must convert them from other formats to the PEM format. We recommend that you use OpenSSL to convert certificate formats. The following section describes how to convert certificates to the PEM format:
Conversion method | Description |
DER to PEM | In most cases, the DER format is used for Java.
|
P7B to PEM | The P7B format is typically used for Windows Server and Tomcat.
|
PFX to PEM | In most cases, the PFX format is used for Windows Server.
|