3CX | Replace SSL certificates for a custom domain

Prerequisites

You will need:
- Access to the server running 3CX
- Remote Desktop (Windows)
- SSH (Linux)
- The certificate and private key in PEM format

Your SSL authority needs to provide you with a public certificate and private key in PEM format.

We CANNOT assist on which authority to pick and how to obtain the certificates nor how to convert them to the correct file format, this is something outside of our scope.

Once you have the new certificates handy, you can then replace the old certificates as follows:

For Linux:

1. Connect with a file transfer client such as FileZilla using SSH root credentials to the phone system host.

2. Go to folder /var/lib/3cxpbx/Bin/nginx/conf/Instance1

3. Rename the existing certificate and key as follow to keep a copy just in case:

YOURFQDN-crt.pem => YOURFQDN-crt.pem.OLD
YOURFQDN-key.pem => YOURFQDN-key.pem.OLD

4. Upload the new ones and name them with the same original file names as the old ones.

5. Connect with an SSH client such as PuTTY using SSH root credentials to the phone system host.

6. Run commands:

cd /var/lib/3cxpbx/Bin/nginx/conf/Instance1
chown phonesystem:phonesystem YOURFQDN-crt.pem
chown phonesystem:phonesystem YOURFQDN-key.pem
service nginx restart

For Windows:

1. Connect on the machine and run Windows Explorer.

2. Go to folder C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1

3. Rename the existing certificate and key as follow to keep a copy just in case:

YOURFQDN-crt.pem => YOURFQDN-crt.pem.OLD
YOURFQDN-key.pem => YOURFQDN-key.pem.OLD

4. copy-paste the new ones in this folder and name them with the same original file names as the old ones.

5. Go in Control Panel / Services / and restart service "3CX Phone System Nginx Webserver".

Your web server has now been restarted with new certificate/key pair so you should already see the new expiry dates when browsing to your management console by clicking the Lock icon and checking the certificate properties.

Follow these last steps only if using SIP TLS:
- Log in as admin in your management console go in Settings / Security / Secure SIP
- Paste the contents of the public certificate in field Certificate, replacing previous.
- Paste the contents of the private key in the field Private Key, replacing previous.
- Press OK, restart SIP service when prompted.

3CX | Replace SSL certificates for a custom domain

3CX | Replace SSL certificates for a custom domain

Prerequisites

For Linux:

1. Connect with a file transfer client such as FileZilla using SSH root credentials to the phone system host.

2. Go to folder /var/lib/3cxpbx/Bin/nginx/conf/Instance1

3. Rename the existing certificate and key as follow to keep a copy just in case:

4. Upload the new ones and name them with the same original file names as the old ones.

5. Connect with an SSH client such as PuTTY using SSH root credentials to the phone system host.

6. Run commands:

For Windows:

1. Connect on the machine and run Windows Explorer.

2. Go to folder C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1

3. Rename the existing certificate and key as follow to keep a copy just in case:

4. copy-paste the new ones in this folder and name them with the same original file names as the old ones.

5. Go in Control Panel / Services / and restart service "3CX Phone System Nginx Webserver".

Related Content

Posts

Tutorials

Videos