Create a FairPlay .p12 file (JW Platform)

Learn how to generate a .p12 keystore file for use with FairPlay DRM

The .p12 keystore file is a component of FairPlay that helps ensure the security and integrity of protected content. A .p12 keystore file stores private keys and associated certificates for FairPlay. This password-protected file is used to sign and encrypt content for use with FairPlay.

You must create a .p12 file to add your FairPlay credential to a DRM-enabled JWP property.



Requirements

JWP

Item Notes
DRM entitlement Contact your JWP representative for more information.
DRM-enabled property See: Enable a property

Apple

You must request a FairPlay Streaming Deployment package from Apple.

Item Notes
ASK App secret key
Certificate A .cer certificate file
Password Private key password generated when requesting package from Apple
Private key A .pem private key file


Implementation

Use the following steps to produce a .p12 keystore file (called fairplay.p12), an ASK, and a keystore password. These resources are then uploaded to the Content Protection section of your DRM-enabled property in your JWP dashboard.

  1. Copy the following script and save it locally as create-fairplay-p12.sh.
#!/bin/bash 

function usage() {
    cat <<EOF

Usage: $0 -a <ASK> -c <certificate> -k <private-key> -p <private-key-password>

PARAMETERS:
    -a <ASK>                    The application secret key - often called the ASK.
    -c <certificate>            The certificate - should be a cer.
    -k <private-key>            The private key - should be a pem file.
    -p <private-key-password>   The password for the private key.

EXAMPLES:
  $0 -a "my-ask-value" -c fairplay.cer -k privatekey.pem -p "my-private-key-password"
EOF

exit 1;
}

while getopts "a:c:k:p:h" OPTION; do
    case "${OPTION}" in
        a)
            ASK=${OPTARG};;
        c)
            CERT=${OPTARG};;
        k)
            PRIVATE_KEY=${OPTARG};;
        p)
            PASS=${OPTARG};;
        h)
            usage;;
        *)
            usage;;
    esac
done
shift $((OPTIND-1))

if [ -z "$ASK" ] || [ -z "$CERT" ] || [ -z "$PRIVATE_KEY" ] || [ -z "$PASS" ]; then
    echo "ERROR: Missing parameter(s)"
    usage
fi

# First we must remove the password from the private key
openssl rsa -in $PRIVATE_KEY -out key.pem -passin pass:$PASS

# Then we need to convert the certificate from Apple into a pem
openssl x509 -inform der -in $CERT -out cert.pem

# now we can combined the private key and the cert into a password protected p12 
openssl pkcs12 -export -out fairplay.p12 -inkey key.pem -in cert.pem -passout pass:$PASS

echo -e "created fairplay.p12 file"
echo -e
echo -e "please use the following values (without quotes) when uploading fairplay.p12"
echo -e "Application Secret Key: \"$ASK\""
echo -e "Keystore Password: \"$PASS\""
  1. From the shell prompt, navigate to the folder in which create-fairplay-p12.sh has been saved.
  2. Run the following command. Refer to the notes in the script in step 1 to replace all the placeholders. The command will return the .p12 file.
./create-fairplay-p12.sh -a <ASK> -c <certificate> -k <private-key> -p <private-key-password>
  1. Add the .p12 file to the property.