Tutorials: Replace SSL certificates for a custom domain
You will need:
- Access to the server running 3CX
- Remote Desktop (Windows)
- SSH (Linux)
- The certificate and private key in PEM format
Your SSL authority needs to provide you with a public certificate and private key in PEM format.
We CANNOT assist on which authority to pick and how to obtain the certificates nor how to convert them to the correct file format, this is something outside of our scope.
Once you have the new certificates handy, you can then replace the old certificates as follows.
Connect with a file transfer client such as FileZilla using SSH root credentials to the phone system host.
Go to this folder: /var/lib/3cxpbx/Bin/nginx/conf/Instance1
Rename the existing certificate and key as follows to keep a copy just in case:
YOURFQDN-crt.pem => YOURFQDN-crt.pem.OLD
YOURFQDN-key.pem => YOURFQDN-key.pem.OLD
Upload the new ones and name them with the same original file names as the old ones.
Connect with an SSH client such as PuTTY using SSH root credentials to the phone system host.
Run commands:
cd /var/lib/3cxpbx/Bin/nginx/conf/Instance1
chown phonesystem:phonesystem YOURFQDN-crt.pem
chown phonesystem:phonesystem YOURFQDN-key.pem
service nginx restart
Go to folder C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1
Rename the existing certificate and key as follow to keep a copy just in case:
YOURFQDN-crt.pem => YOURFQDN-crt.pem.OLD
YOURFQDN-key.pem => YOURFQDN-key.pem.OLD
Copy and paste the new ones in this folder and name them with the same original file names as the old ones.
Go in Control Panel / Services / and restart "3CX Phone System Nginx Webserver" service.
Your web server has now been restarted with new certificate/key pair so you should already see the new expiry dates when browsing to your management console by clicking the Lock icon and checking the certificate properties.
Follow these last steps only if using SIP TLS:
- Log in as admin in your management console go in Settings / Security / Secure SIP
- Paste the contents of the public certificate in field Certificate, replacing previous.
- Paste the contents of the private key in the field Private Key, replacing previous.
Press "OK," then restart SIP service when prompted.
