After searching the forum here, I saw that someone said that the common name (CN) field in the server certificate (used at the 3CX server end) must be set to the IP address of the 3CX "proxy". I didn't want to hardwire the cert to an IP... what if your IP addresses change (as mine did in a network reorg recently)? You would have to throw away that cert and pay for another, or re-gen it if you're using self-signed certs. Turns out that the CN field can be (and probably should be) the domain name of your 3CX switch (e.g. "sip.xyz.com"), at least when using various softphones that support TLS. The only reason for using a cert that's hard-bound to an IP address is if your TLS-capable SIP phones can't be set up with a domain name for the proxy or don't use the domain name for TLS initiation. You still need to name the cert files domain_cert_nn.nn.nn.nn.pem and domain_key_nn.nn.nn.nn.pem because 3CX does not do a reverse lookup on its own IP address to get its domain name (understandable because REV records are often wrong, and maybe the SRV records override, etc.). So if your IP changes, you have to change those file names, but at least you don't have to get/gen a whole 'nother cert!