3CX | Replace SSL certificates for a custom domain

Tutorials / 3CX /
  • 3CX | Replace SSL certificates for a custom domain
  • 3CX | Replace SSL certificates for a custom domain


    Prerequisites

    • You will need:
      • Access to the server running 3CX
      • Remote Desktop (Windows)
      • SSH (Linux)
      • The certificate and private key in PEM format

    Your SSL authority needs to provide you with a public certificate and private key in PEM format.

    We CANNOT assist on which authority to pick and how to obtain the certificates nor how to convert them to the correct file format, this is something outside of our scope.

    Once you have the new certificates handy, you can then replace the old certificates as follows:

    For Linux:

    1. Connect with a file transfer client such as FileZilla using SSH root credentials to the phone system host.

    2. Go to folder /var/lib/3cxpbx/Bin/nginx/conf/Instance1

    3. Rename the existing certificate and key as follow to keep a copy just in case:

    YOURFQDN-crt.pem => YOURFQDN-crt.pem.OLD
    YOURFQDN-key.pem => YOURFQDN-key.pem.OLD
    

    4. Upload the new ones and name them with the same original file names as the old ones.

    5. Connect with an SSH client such as PuTTY using SSH root credentials to the phone system host.

    6. Run commands:

    • cd /var/lib/3cxpbx/Bin/nginx/conf/Instance1
    • chown phonesystem:phonesystem YOURFQDN-crt.pem
    • chown phonesystem:phonesystem YOURFQDN-key.pem
    • service nginx restart

    For Windows:

    1. Connect on the machine and run Windows Explorer.

    2. Go to folder C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1

    3. Rename the existing certificate and key as follow to keep a copy just in case:

    YOURFQDN-crt.pem => YOURFQDN-crt.pem.OLD
    YOURFQDN-key.pem => YOURFQDN-key.pem.OLD
    

    4. copy-paste the new ones in this folder and name them with the same original file names as the old ones.

    5. Go in Control Panel / Services / and restart service "3CX Phone System Nginx Webserver".


    Your web server has now been restarted with new certificate/key pair so you should already see the new expiry dates when browsing to your management console by clicking the Lock icon and checking the certificate properties.

    • Follow these last steps only if using SIP TLS:
      • Log in as admin in your management console go in Settings / Security / Secure SIP
      • Paste the contents of the public certificate in field Certificate, replacing previous.
      • Paste the contents of the private key in the field Private Key, replacing previous.
      • Press OK, restart SIP service when prompted.


    Related Content