Missing peaces in docs to finish Apple FairPlay setup

Sturla 176 Reputation points

Good morning

I am trying to follow this guide here to setup AppleFairplay but I am having some issues.

For one I never get a .der file and its unclear if it should even be created since you have ".cer/.der" in the doc.

But since I get decryption error with my current setup I went looking in the examples and found this here that seems to be telling me that this .der file should be accessible from my site.

{ type: "FairPlay", certificateUrl: "//yourdomain/fairplay.der" }  

Is that correct? If so I need to create this file somehow...

I would also like to get your opinion on the storage of the .pfx file. I would not like to store it my project but get it from keyVault but I can´t upload it as a cert since its 1024 and can only upload it as a secret if it doesn´t have a password...

To summarise:

  1. Do I need a .der file? Or do I use the FairPlay.cer?
  2. But if I need it, how do I create it?
  3. How is it exposed from my domain? Where is any documentation on this?
  4. Where/how to store/secure the .pfx file?
  5. And what is the best way to test FairPlay DRM when you are on windows?

Sorry for the length of this question. Hope you can assist me as soon as possible.

Azure Media Services
Azure Media Services
A group of Azure services that includes encoding, format conversion, on-demand streaming, content protection, and live streaming services.
307 questions
{count} votes

3 answers

Sort by: Most helpful
  1. SnehaAgrawal-MSFT 18,871 Reputation points

    Thanks for asking question! As per your query

    Do I need a .der file? Or do I use the FairPlay.cer?

    yes, a .der/.cer file should be accessible by the player. Warning: this certificate should contain the public key but not the private key (of course).

    FPS ACS Path: https://openidconnectweb.azurewebsites.net/Content/FPSAC.cer

    Please note that since the test player is in javascript, hence subject to browser sandbox/CORS constraint.
    This implies when you host your public key cert (and put the URL in the FPS AC Path textbox), make sure you set the CORS policy properly on your hosting environment.
    Clicking the “AC” (app cert) link and being able to download the cert content does not mean the CORS is set up properly since this is a manual test.

    How is it exposed from my domain? Where is any documentation on this?

    For the tests, you can use the Advanced player from here : Azure Media Test Tool (https://openidconnectweb.azurewebsites.net/AMTestPlayer) (click on player settings)

    There is a field for the .cer file URL.

    Where/how to store/secure the .pfx file?

    Regarding the storage of the .pfx certificate in KeyVault, The issue was faced in a project and we ended up storing the certificate as base64 string as a secret (not as certificate) in Azure keyvault.

    Hopefully, we published documentation and code in the Azure Architecture Center, for project named Gridwich:

    The flow is:

    -Certificate is converted to base 64 text file by the admin (example of a fake certificate in this format : https://github.com/mspnp/gridwich/blob/main/src/Gridwich.SagaParticipants.Publication.MediaServicesV3/tests/FakeFairPlayCert/FairPlay-out-base64.txt
    -This file is stored in AzureDevops as a secure file
    -When deploying the solution, the deployment pipeline copies the string to Azure KeyVault : script is

    And what is the best way to test FairPlay DRM when you are on windows?

    FairPlay test requires any of the following Apple devices: iPhone, iPad, mac, or AppleTV. Also, Fairplay is limited to iOS only.

    Further product team is aware that to use the hosted test tools and details from projects outside of the AMS doc tree is not a good long term strategy of course and there is scope of document update, Thanks again for sharing feedback on this, will keep you posted accordingly.

    Please let us know if further query or issue remains.

    0 comments No comments

  2. Sturla 176 Reputation points

    Thank you for you answer.

    I´m currently going over it and see that when hitting the .cer file I´m getting a 404 error that indicates (according to this article) that the ASP.NET static file middleware doesn´t understand the file type (there are 400 available).

    I have figured out part of the code to get to the .cer file

    var contentTypeProvider = new FileExtensionContentTypeProvider();
    contentTypeProvider.Mappings.Add(".cer", "text/html"); // <-- What type? Should it be "application/x-x509-ca-cert" ?
    app.UseStaticFiles(new StaticFileOptions { ContentTypeProvider = contentTypeProvider });

    Do you know what type this should be because when I have it like this the cert is always downloaded instead of displayed like yours is. Does that matter?

    0 comments No comments

  3. Sturla 176 Reputation points

    Ok I don´t really know what to do..

    If I just get the following error when I try to add { "type"": "FairPlay", certificateUrl: "@Model.FairplayCerFile","authenticationToken": "@Model.Token" } to the player and play it on my IPhone.

    The video playback was aborted due to a corruption problem or because the video used features your browser did not support (0x50400000)

    Am I using this correctly in the player? This is my cer file and I have a token and everything works just fine for PlayReady...


    0 comments No comments