Thanks for asking question! As per your query
Do I need a .der file? Or do I use the FairPlay.cer?
yes, a .der/.cer file should be accessible by the player. Warning: this certificate should contain the public key but not the private key (of course).
FPS ACS Path: https://openidconnectweb.azurewebsites.net/Content/FPSAC.cer
Please note that since the test player is in javascript, hence subject to browser sandbox/CORS constraint.
This implies when you host your public key cert (and put the URL in the FPS AC Path textbox), make sure you set the CORS policy properly on your hosting environment.
Clicking the “AC” (app cert) link and being able to download the cert content does not mean the CORS is set up properly since this is a manual test.
How is it exposed from my domain? Where is any documentation on this?
For the tests, you can use the Advanced player from here : Azure Media Test Tool (https://openidconnectweb.azurewebsites.net/AMTestPlayer) (click on player settings)
There is a field for the .cer file URL.
Where/how to store/secure the .pfx file?
Regarding the storage of the .pfx certificate in KeyVault, The issue was faced in a project and we ended up storing the certificate as base64 string as a secret (not as certificate) in Azure keyvault.
Hopefully, we published documentation and code in the Azure Architecture Center, for project named Gridwich:
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/media-services/gridwich-content-protection-drm#apple-fairplay-settings
The flow is:
-Certificate is converted to base 64 text file by the admin (example of a fake certificate in this format : https://github.com/mspnp/gridwich/blob/main/src/Gridwich.SagaParticipants.Publication.MediaServicesV3/tests/FakeFairPlayCert/FairPlay-out-base64.txt
-This file is stored in AzureDevops as a secure file
-When deploying the solution, the deployment pipeline copies the string to Azure KeyVault : script is
https://github.com/mspnp/gridwich/blob/main/infrastructure/azure-pipelines/templates/steps/azcli-last-steps-template.yml#L30
And what is the best way to test FairPlay DRM when you are on windows?
FairPlay test requires any of the following Apple devices: iPhone, iPad, mac, or AppleTV. Also, Fairplay is limited to iOS only.
Further product team is aware that to use the hosted test tools and details from projects outside of the AMS doc tree is not a good long term strategy of course and there is scope of document update, Thanks again for sharing feedback on this, will keep you posted accordingly.
Please let us know if further query or issue remains.