FairPlay Certificate Registration Tutorial


To use Apple’s FairPlay Streaming (FPS) DRM, a content service provider should acquire FPS Deployment Package from Apple and register the below data with PallyCon service.

- FPS Certificate file (.der or .cer)
- Private key file (.pem)
- Private key password string
- Application secret key (ASK) string

This document will guide you step by step to ensure that your process is accurate.

Step 1: Sign up Apple Developer Account and Request Deployment Package

You need Apple developer account to get the FPS Deployment Package. Sign up for the account on the below site if you don’t have one.

Click ‘Request Deployment Package’ link at the bottom of FairPlay Streaming website and log in with your Apple developer account.

If you apply for the Deployment Package according to the input form, you will be issued a package containing the FPS Credential Creation Guide document after Apple’s confirmation.

During the application process, you will be asked if you have completed the implementation and testing of the Key Server Module (KSM). This can be answered by saying, ‘I am using a 3rd party DRM company and the company has already built and tested KSM’.

Step 2: Create Private Key and Certificate Signing Request(CSR)

Create a private key (privatekey.pem) file and a certificate signing request (certreq.csr) file by referring to the guide document in the package. The following describes OpenSSL method in Generating a Certificate Signing Request section of the guide.

OpenSSL must be installed on the PC or server environment where this process is performed.

  1. Create a private key (privatekey.pem) file
  • Run the following command to generate the private key:
openssl genrsa -aes256 -traditional -out privatekey.pem 1024
  • Enter any password for the private key and make a note of it for later use.
  • The password should be shorter than 32 characters.

The guide documentation on Apple’s developer site is based on an older version of openssl and provides the following certificate generation command.

openssl genrsa -aes256 -out privatekey.pem 1024 

The -traditional argument must be added to the command to avoid compatibility issues with the generated certificate.

  1. Create a certificate signing request file
  • Run the following command: The contents of the -subj parameter can be modified to suit your organization.
openssl req -new -sha1 -key privatekey.pem -out certreq.csr -subj "/CN=SubjectName/OU=OrganizationalUnit/O=Organization/C=US"
  • Enter the private key password from the above process.

Step 3: Create FPS Cert at Apple Developer Portal

  1. Log in to the Apple Developer Portal as shown below and go to the Certificate, IDs & Profiles menu.

  2. Press the + button on the menu screen to move to the Create a New Certificate screen.

  3. Select the FairPlay Streaming Certificate item and click the Continue button.

  4. Click Choose File, select the certreq.csr file created in the previous step and click the Continue button.

  5. Copy the Application Secret Key (ASK) string, record it separately, paste it in the space below and click the Continue button.

  6. A pop-up will appear to confirm that you have recorded the ASK string separately. Click the Generate button.

  7. When the above process is completed, the certificate created with FairPlay Streaming type will be displayed in the Certificate list.

  8. Click the Download button to save the FPS certificate file (fairplay.cer).

Step 4: Register FPS Cert at PallyCon Console Site

  1. Log in to PallyCon Console site.

  2. Go to DRM Setting screen under Multi-DRM menu.

  3. Click the Register button in the FPS Cert Registration section of Multi-DRM Settings.

  4. Enter the files (private key, certificate) and strings (private key password, ASK) created in the previous steps in the pop-up window.

If you did not add the -traditional parameter to the certificate generation command in step 1, you may encounter errors during the certificate registration process on PallyCon Console. In this case, please use the following command to register the converted certificate on PallyCon Console.

openssl pkey -in privatekey.pem -out privatekey2.pem -aes-256-cbc -traditional

Note: If you have performed Step #2 multiple times for testing, you may encounter a mismatch of certificate / key pairs or invalid private key passwords. Please be careful to register the correct data.

What’s Next

This completes the FairPlay Cert Registration Tutorial.

After the FPS Cert Registration, create FairPlay DRM-protected HLS content through Content Packaging and Integrate Client Player to check playback.

The download URL of FPS certification file is https://license-global.pallycon.com/ri/fpsKeyManager.do?siteId='Site_ID'. Input your Site_ID which is issued by PallyCon Cloud service. (4byte)