Adding HTTPS Security to the LEADTOOLS Media Server

This topic outlines how to create a test certificate and add a certificate to the LEADTOOLS Media Server demo. The toolkit can support certificates in any store; however, the demo apps enumerate the stores "MY" ( displayed as "Personal" in the Windows consoles) and "Web Hosting". 

Secure streaming (HTTP over SSL) is disabled by default. To enable it, you need to do two things:

  1. Select the SSL port: either 443 (which is default) or an unused port (typically above 1024).
  2. Select a security certificate. Here you have two choices:
    1. Use a development certificate, which will be valid for initial testing, but not for a proper web site. You can obtain development certificates in two ways:
    1. Use a certificate generated by the Media Server demos (easiest)
    2. Manually creating a test certificate using a tool like makecert.
    2. Obtain a proper certificate from one of the recognized certificate authorities (like Symantec, Comodo, GoDaddy, etc).

If you use a development certificate, it will typically work for testing on the local computer. But in order to access the HTTPS stream from another computer, you will need to import the certificate used on the server on the client computer. The procedure differs from browser to browser, but will typically involve importing the server's certificate into the Trusted Certificate Authorities list.

Below you will find the steps for selecting a self-generated certificate.

Adding a Certificate to the LTMS Server Demo

Accessing a Secure Page

To access the demo html pages. Enter https://address:ssl_port/player.html in your browser.

If you access the web page from a computer other than the server using a development security certificate, you will need to import the development certificate used by the server into your browser's list of trusted certificates. See the Importing the Development Certificate note below for more details.

LTMS using HTTPS

Manually Creating a Test Certificate

If you do not have an SSL certificate and you wish to manually create one, the following steps illustrate how you can create one using Microsoft's makecert.exe utility.

NOTE: If you do not have VS2012, make sure you use a makecert.exe v4.5 or newer (included with VS2012 and up), which supports the sha256 algorithm.
Type "makecert -!" and make sure the algorithms listed for the -a option includes both sha256 and sha1. You can copy makecert.exe from another computer, but make sure it supports sha256. - Use makecert.exe to create a self-signed root certificate that can be used as a Certificate Authority. The certificate is automatically stored in the Trusted Root Certificates Authority (root) store:
makecert -sv signroot.pvk -cy authority -r signroot.cer -a sha256 -n "CN=Dev Certification Authority" -ss root -sr localmachine

signroot.pvk is the name of the generated private key file and is used to sign additional certificates. You may change this to suit your needs. It is needed in the next step as well.
signroot.cer is the name of the generated root certificate, and is used to sign additional certificates. It can also be imported into browsers to avoid a security warning when you access the server page. You may change this to suit your needs. It will be needed in the next step also.
Dev Certification Authority is the internal certificate name. This is the name that will display in any certificate viewer application. You may change this to suit your needs.

makecert -iv signroot.pvk -ic signroot.cer -a sha256 -cy end -pe -n CN="127.0.0.1" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange

makecert -iv signroot.pvk -ic signroot.cer -a sha256 -cy end -pe -n CN="LTMS Media Server" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange makecert command

Importing the Development Certificate on Client Computers

Development certificates will be recognized by browsers only when they run on the media server. To play a https stream on another computer, you will need to to import the development certificate used by the server as a Trusted Certificate Authority. Different browsers look to different places for certificates:

Also note that the browser checks the server certificate in negotiation and looks at the root authority that signed it. It needs that authority in its store in order to trust the signature. For more information on this, see Microsoft's topic on Manage Trusted Root Certificates for managing trusted root certificates for a local computer.

See Also

Media Streaming SDK Example Programs and Demos

Deploying Your Media Server

Help Version 20.0.2019.12.10
Products | Support | Contact Us | Intellectual Property Notices
© 1991-2019 LEAD Technologies, Inc. All Rights Reserved.

LEADTOOLS Media Streaming C API Help