Flussonic Media Server documentation

Creating SSL cert with Digicert

This article will help you to request and configure SSL certificate provided by Digicert authority center.

We will create SSL Plus certificate, so prepare you company information, including company registration ID.

Procedure will be following:

  • prepare server with Linux and Flussonic Media Server;
  • generate CSR (crypto signed request for certificate);
  • make new order on digicert;
  • provide required information to their support upon request;
  • wait for notification email;
  • download generated certificate together with intermediate certficate;
  • configure Flussonic Media Server;
  • check that everything is working ok.

Preparing server and hostname Anchor Anchor x2

We've created server on DigitalOcean cloud provider and configured hostname digicert.erlyvideo.org for this server.

maxbook:~ max$ ssh root@digicert.erlyvideo.org
The authenticity of host 'digicert.erlyvideo.org (104.236.104.195)' can't be established.
RSA key fingerprint is 7e:75:87:f0:f6:3b:74:19:35:42:f6:81:cd:7e:81:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'digicert.erlyvideo.org,104.236.104.195' (RSA) to the list of known hosts.
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-71-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Fri Jan  8 12:41:46 EST 2016

  System load: 0.0                Memory usage: 9%   Processes:       50
  Usage of /:  10.6% of 19.56GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Next step is installing Flussonic Media Server and putting license there. Don't forget to request your license

Now after Flussonic Media Server is installed, let's make simplest configuration to check that everything is working. You need to have following /etc/flussonic/flussonic.conf:

http 80;
rtmp 1935;
edit_auth flussonic letmein!;

stream clock {
  url fake://fake;
}

Put this configuration and launch Flussonic Media Server: /etc/init.d/flussonic start

Check that it is working on http://digicert.erlyvideo.org/clock/embed.html:

CSR generation Anchor Anchor x2

Now generate CSR (it is a small piece of cryptic text) with openssl tool:
root@digicert:~# cd /etc/flussonic
root@digicert:/etc/flussonic# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
...........+++
................................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:RU
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Erlyvideo LLC
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:digicert.erlyvideo.org
Email Address []:digicert@erlyvideo.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Don't forget that you must put your own private names here: not digicert.erlyvideo.org, but your hostname, not «Erlyvideo LLC», but your company name.

CN, common name is a hostname. It must not include "http://" or "https://"

Let's take a look at created CSR:

root@digicert:/etc/flussonic# cat server.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIICyDCCAbACAQAwgYIxCzAJBgNVBAYTAlJVMRMwEQYDVQQIDApTb21lLVN0YXRl
MRYwFAYDVQQKDA1Fcmx5dmlkZW8gTExDMR8wHQYDVQQDDBZkaWdpY2VydC5lcmx5
dmlkZW8ub3JnMSUwIwYJKoZIhvcNAQkBFhZkaWdpY2VydEBlcmx5dmlkZW8ub3Jn
MIIBIjANBgkqhkiG9w0BAQEBAAOCAQ8AMIIBCgKCAQEAnvcpWTR1T8oBfRRYKbHJ
wUzFt9HjGmWGB5bGG2xy/j/dixU6B9Qx2kHcGAjsX+vzDX8retrbkdS357S6nLKk
JBOiDIU1GZAljdGFHsUhAn/E6kFLLR95/O3OYZuyAT0BXBzQjmNeHHEZI3BASEiC
0EYU+7sgr99bZhmabbD2CDl84hfRaL17qZIg8s8AV3XV6AO0n3CbctUvNzYEfAsN
TYPQMphwhkfu7Gt/bQvu2Ni3H/BxqHCnGxTD0Xe2G98wM0DHFyfADOLVipPfocLf
EolkUMvBQKOwZX8MCyaVGfW4vLpn1kjEyaosw4qhVaHaNR3rfzFt6uEz0Z0bQiWe
NQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAHUJp5XW3I1E06M5bBN8usYJLOku
wsOP0iDA5spteASeHaBr505iKaWjOKpAzw2MdKEeE9by2oaog3Pz6Btffop+smQy
Qm59dWMLD11j2jiLZDTvKU20n+kluandb3bRVRQ3R+H9wWONe0mneLp//gqUQgiS
YdsmLk7lRUYe6K2IxaxA05pD5XoIaTdnvw2YicH6mAItLIeh/inxl4QMIIkcWLu0
jIGNy1t+n/dL0IGCqGuXRfRcrYFHmGyWcWb5C3eFKnxOAewHA7HnUVailF5UAFcX
FpN9gTpuObnQel2Nfuxpn+hbcp0JvU37reUrh58xu8i/j40fBKoIvPUV8yA=
-----END CERTIFICATE REQUEST-----

We will require this CSR below.

You can also visit https://www.digicert.com/easy-csr/openssl.htm, it is a Digicert online CSR generator. Choose what do you consider more convenient.

Here we must encrypt SSL server key, because Flussonic Media Server forces using password 'flussonic' on server key:

root@digicert:/etc/flussonic# openssl rsa -des3 -in server.key -out flussonic.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Enter flussonic as a pass phrase here.

New Digicert request Anchor Anchor x2

Visit digicert website and request SSL there on https://www.digicert.com/order/order-1.php

Mention that your price may be different, because Digicert has provided us a special free trial. Such certificate will live for a very short time and it is not for a production use.

Fill in "common name" field with your hostname, the same as you have specified in CSR generation. Now click on CSR checkbox, because you already have it. You will have long list of different options, select nginx one and put your CSR into second field:

Click "Continue" on each wizard form and fill in properly all other fields till you reach end of wizard, telling you that request has been accepted and new order has been created:

Order validation Anchor Anchor x2

Digicert being a respectable authority will contact you to ensure that you has control over domain.

In our case they have also asked to clarify company registration ID. You should be ready for it.

After getting all required information they send an email asking to verify domain certificate creation:

You may select more fine-grained permissions, but here we will select more simple permission. After this email order gets into next validation state:

Downloading certificate Anchor Anchor x2

Upon validating your request Digicert will send an email with download link.

Your order page will indicate that order is 100% complete, because you have got all you need:

Link from email will lead you to order page with download options:

Here is some trick: choose «Other format» and select «Separate Primary and intermediate crt files».

You need two files with your certificate and intermediate. Their usage will be explained below.

Browser will save "AllCerts.zip" archive from Digicert.

Configuring Flussonic Media Server Anchor Anchor x2

First upload AllCerts.zip from your computer to Flussonic Media Server:

maxbook:~ max$ scp ~/Downloads/AllCerts.zip root@digicert.erlyvideo.org:/etc/flussonic/
AllCerts.zip                                                                                    100% 5308     5.2KB/s   00:00    

Now go to server and unzip this file (you may have to install unzip utility in Ubuntu with apt-get -y install unzip):

root@digicert:~# cd /etc/flussonic/
root@digicert:/etc/flussonic# unzip AllCerts.zip 
Archive:  AllCerts.zip
   creating: certs/
  inflating: certs/DigiCertCA.crt    
  inflating: certs/digicert_erlyvideo_org.crt  
  inflating: certs/INSTALL_INSTRUCTIONS.en.txt  
  inflating: certs/INSTALL_INSTRUCTIONS.es.txt  
  inflating: certs/INSTALL_INSTRUCTIONS.it.txt  
  inflating: certs/INSTALL_INSTRUCTIONS.fr.txt  
  inflating: certs/INSTALL_INSTRUCTIONS.lt.txt  
root@digicert:/etc/flussonic# mv certs/DigiCertCA.crt flussonic-ca.crt
root@digicert:/etc/flussonic# mv certs/digicert_erlyvideo_org.crt flussonic.crt

We have downloaded zip file because we need two separate files: one with specific certificate (flussonic.crt) and second with chain of certificates that can be used to verify our private certificate.

Now enable https in flussonic by adding line https 443; to /etc/flussonic/flussonic.conf and restart Flussonic Media Server:

root@digicert:/etc/flussonic# /etc/init.d/flussonic restart
Restarting
Stopping flussonic

Starting flussonic: ......done

Checking SSL Anchor Anchor x2

First let's visit link with our fake stream: https://digicert.erlyvideo.org/clock/embed.html:

Browser will show that certificate is valid if we click on green lock in address bar:

The last thing to check is to validate connection via openssl from our computer:

maxbook:~ max$ openssl s_client -showcerts -connect digicert.erlyvideo.org:443
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=RU/ST=Moscow/L=Moscow/O=Erlyvideo LLC/CN=digicert.erlyvideo.org
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIQAxAJ4eUKpBYFQq0wxwhZezANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTYwMTA4MDAwMDAwWhcN
MTYwMjEyMTIwMDAwWjBoMQswCQYDVQQGEwJSVTEPMA0GA1UECBMGTW9zY293MQ8w
DQYDVQQHEwZNb3Njb3cxFjAUBgNVBAoTDUVybHl2aWRlbyBMTEMxHzAdBgNVBAMT
FmRpZ2ljZXJ0LmVybHl2aWRlby5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCe9ylZNHVPygF9FFgpscnBTMW30eMaZYYHlsYbbHL+P92LFToH1DHa
QdwYCOxf6/MNfyt62tuR1LfntLqcsqQkE6IMhTUZkCWN0YUexSECf8TqQUstH3n8
7c5hm7IBPQFcHNCOY14ccRkjcEBISILQRhT7uyCv31tmGZptsPYIOXziF9FovXup
kiDyzwBXddXoA7SfcJty1S83NgR8Cw1Ng9AymHCGR+7sa39tC+7Y2Lcf8HGocKcb
FMPRd7Yb3zAzQMcXJ8AM4tWKk9+hwt8SiWRQy8FAo7BlfwwLJpUZ9bm8umfWSMTJ
qizDiqFVodo1Het/MW3q4TPRnRtCJZ41AgMBAAGjggHdMIIB2TAfBgNVHSMEGDAW
gBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUZXYaYTXl8jgqawqKQ1Ic
Bm5R+iMwIQYDVR0RBBowGIIWZGlnaWNlcnQuZXJseXZpZGVvLm9yZzAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRk
MGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzUu
Y3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc1
LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRw
czovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjB8BggrBgEFBQcBAQRw
MG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBGBggrBgEF
BQcwAoY6aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMlNl
Y3VyZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQA86/h7R+C43U2o4cW0ozoPmnEr+MQcXWARSoVpXorguZKms+n4uA0stAXu8rWv
VX+nH84AOhPg7NNfPhmWAshbhfwC37fqUO1ZAnQi5ogItrYRM+96hs/y8Q+9nawR
1EGwLvWU0HTJfv+2t7Z3WF7uJ53I6g5RiT5pi/SVCAeIYkwbZZWkH8xE8GRHzPuu
N6DTmHZkkS+ADu2jp7YTxLSsomjlTKdR4iVDPoDOdugJTKrFYl23zluSkht/pJrs
m5Cc9Xeo7fhyW+dSYnQFnhA+FkdoythwvXqSEzv97VL2eGPWuSBw4Ysx/5U8fYwn
D1OWAfzMXFC75EqSMgWrAOX6
-----END CERTIFICATE-----
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
-----END CERTIFICATE-----
---
Server certificate
subject=/C=RU/ST=Moscow/L=Moscow/O=Erlyvideo LLC/CN=digicert.erlyvideo.org
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3192 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: FFA8316AFC8E3CCE0D34F3AEE94A0E5B6032CBA63898BF59B561729D67F00B90
    Session-ID-ctx: 
    Master-Key: 394AE1BAF1ADABF93E12C5656FAD55D9A9E35C18BE7AA74839D8F4BD83E3730720BFFB37745C551857B857B5CF36948E
    Key-Arg   : None
    Start Time: 1452282438
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

You must see Verify return code: 0 (ok) in the end.

It means that openssl has validated chain of all certificates: from your freshly installed to the root one.

Great! We have requested and installed SSL certificate from Digicert into our Flussonic streaming server.