Chrome 59 introduced a new CDM security feature known as the Verified Media Path (VMP). The VMP requires the use of a Service Certificate. Axinom DRM provides endpoints to get such certificate.

Verified Media Path

This article describes the changes to the Widevine Modular CDM client that came with the release of Chrome 59. The update applies to Chrome 59 and onwards.

What Changed?

Chrome 59 introduced a new CDM security feature known as the Verified Media Path (VMP). The VMP requires the use of a Service Certificate. If a Service Certificate does not exist, a Service Certificate Request will be initiated prior to every playback request.


The update was released on June 6, 2017.

Which Platforms?

Chrome on Desktop and Android starting from version 59.

What do I Need to Do?

Chrome Browser – Default Behavior

Nothing. By default, if a Service Certificate has not been explicitly set, a Service Certificate Request is initiated for each CDM session. The application treats the Service Certificate Request as a normal License Request and sends it to the / AcquireLicense endpoint. Axinom DRM Widevine Modular License Service responds with a Service Certificate Response which the application treats as a normal License Response.

Chrome Browser – Explicitly Setting the Service Certificate

The browser’s player application may also set the Service Certificate explicitly to prevent a Service Certificate Request for each CDM session. An alternative to executing the additional Service Certificate Request is to pre-load the Service Certificate, prior to any License Request. This is recommended, as it avoids a round-trip to the License Service.

Axinom DRM Widevine Modular License Service’s Service Certificate can be acquired at:

You cannot use the Service Certificate Response payload (described in the default behavior section) due to differences in the data structure. The appropriate Service Certificate shall be acquired as indicated above – GET /ServiceCertificate.

Setting the Service Certificate in the application can be accomplished by using the EME’s setServerCertificate() API with the following considerations:

  • setServiceCertificate() should be called after the MediaKeys object is created but before creating sessions with mediaKeys.createSession(…​).

  • The argument type is a BufferSource, which means either an ArrayBuffer or a Uint8Array is accepted. A hex-encoded or base64-encoded string is not accepted.

  • The method returns a Promise that is resolved or rejected when the operation is complete. Sessions should be created after the Promise resolves.

Shaka Player

The Shaka Player already supports calling this method at

An example of how Shaka Player can be configured to set the Service Certificate:

var serverCertificate = new Uint8Array(...);
  drm: {
    advanced: {
      'com.widevine.alpha': {
        serverCertificate: serverCertificate