Learning Hub / Tutorials / 3CX / Replace SSL certificates for a custom domain FAQs

Tutorials: Replace SSL certificates for a custom domain

You will need: * Access to the server running 3CX * Remote Desktop (Windows) * SSH (Linux) * The certificate and private key in PEM format

Your SSL authority needs to provide you with a public certificate and private key in PEM format.

We CANNOT assist on which authority to pick and how to obtain the certificates nor how to convert them to the correct file format, this is something outside of our scope.

Once you have the new certificates handy, you can then replace the old certificates as follows.

Connect with a file transfer client such as FileZilla using SSH root credentials to the phone system host.

Go to this folder: /var/lib/3cxpbx/Bin/nginx/conf/Instance1

Rename the existing certificate and key as follows to keep a copy just in case:

YOURFQDN-crt.pem => YOURFQDN-crt.pem.OLD

YOURFQDN-key.pem => YOURFQDN-key.pem.OLD

Upload the new ones and name them with the same original file names as the old ones.

Connect with an SSH client such as PuTTY using SSH root credentials to the phone system host.

Run commands:

cd /var/lib/3cxpbx/Bin/nginx/conf/Instance1

chown phonesystem:phonesystem YOURFQDN-crt.pem

chown phonesystem:phonesystem YOURFQDN-key.pem

service nginx restart

Go to folder C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1

Rename the existing certificate and key as follow to keep a copy just in case:

YOURFQDN-crt.pem => YOURFQDN-crt.pem.OLD
    
YOURFQDN-key.pem => YOURFQDN-key.pem.OLD

Copy and paste the new ones in this folder and name them with the same original file names as the old ones.

Go in Control Panel / Services / and restart "3CX Phone System Nginx Webserver" service.

Your web server has now been restarted with new certificate/key pair so you should already see the new expiry dates when browsing to your management console by clicking the Lock icon and checking the certificate properties.

Follow these last steps only if using SIP TLS:

Log in as admin in your management console go in Settings / Security / Secure SIP

Paste the contents of the public certificate in field Certificate, replacing previous.

Paste the contents of the private key in the field Private Key, replacing previous.

Press "OK," restart SIP service when prompted.

Learning Hub / Tutorials / 3CX / Replace SSL certificates for a custom domain FAQs