Renewing certificate for 3cx v15 nginx webserver

Discussion in '3CX Phone System - General' started by schmork, Feb 12, 2018.

Thread Status:
Not open for further replies.
  1. schmork

    Joined:
    Dec 20, 2017
    Messages:
    7
    Likes Received:
    7
    I could not find any information for my scenario to renew the ssl certificate so I thought I would post this in case it helps anyone else. If anyone knows of an easier way to do this let me know.

    We use a multi-domain ssl certificate that is generated from our main web server that we export to each server. On version 14 we were using IIS so it was easy to install the new certificate. When we upgraded to v15 we now had to use the nginx webserver that came with 3cx. The upgrade process took the certificate from IIS and installed it for nginx to use. Our SSL certificate has now expired and we had to install the new certificate in nginx.

    In order to complete this process you will need the OpenSSL CSRGen download.
    https://downloads.3cx.com/downloads/misc/csrgen.zip

    1. Import the new certificate to IIS using the exported .pfx file
    2. Start the Microsoft Management Console > Run mmc.exe
    3. Click the 'Console' menu and then click 'Add/Remove Snap-in'.
    4. Select 'Certificates' and click 'Add'.
    5. Select 'Computer Account' then click 'Next'.
    6. Select 'Local Computer' and then click 'OK'.
    7. Click 'Close' and then click 'OK'.
    8. Expand the menu for 'Certificates' and click on the 'Personal' folder.
    9. Right click on the certificate that you want to export and select 'All tasks' > 'Export'.
    10. A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file. Save this file into the extracted CSR Generator folder

    11. Open an command prompt and change to the CSR Generator folder
    12. Export the private key by running the command
      openssl pkcs12 -in filename.pfx -nocerts -out key.pem
      Change filename.pfx to what you named the file in step 10. You will be asked to enter a password to secure this file, you will need it for step 14
    13. Export the certificate file by running the command
      openssl pkcs12 -in filename.pfx -clcerts -nokeys -out phoneserver.domain.com-crt.pem
      Change filename.pfx to what you named the file in step 10. Change phoneserver.domain.com to what your hostname is for your SSL certificate.
    14. Remove the password from the private key you made instep 12
      openssl rsa -in key.pem -out phoneserver.domain.com-key.pem
      Change phoneserver.domain.com to what your hostname is for your SSL certificate.
    15. Make a backup of the current keys in C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1 and then Copy phoneserver.domain.com-crt.pem and phoneserver.domain.com-key.pem to C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1
    16. Restart "3cx PhoneSystem Ngnix Server" service
    Your new certificate will now work with the nginx webserver. If the service does not start back up, there is a problem with your keyfile or certificate file. Replace the original .pem files and start the service again and then repeat this process.
     
  2. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,375
    Likes Received:
    278
    Thank you for sharing, i am sure a lot of people will find this useful.
     
  3. bbaker73

    bbaker73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    107
    Likes Received:
    19
    Yes thank you, I was struggling with this. Between step 14 & 15, I also needed to concatenate the new certificate file with the CA intermediate certificate.
     
Thread Status:
Not open for further replies.