We have previously written articles describing how to renew 3CX’s SSL certificate:
- Linux:https://3x.58voip.com/3cx-v15-v16-renewing-ssl-certificate-linux-server/
- Windows:https://3x.58voip.com/3cx-v15-renewing-ssl-certificate/
The certificates used here are for the Nginx server. Usually there are two files, a crt certificate file and a key key file.
In some cases, the certificate provided by the client is in PFX format, which has only one certificate file and also requires a password. This article describes how 3CX can update the PFX SSL certificate.
Install OPENSSL
Since we need to convert the PFX format to a format that 3CX can use, we need to use the OpenSSL software.
Download openssl here:https://slproweb.com/products/Win32OpenSSL.html
Download it and go all the way to the next step to complete the installation.
After the installation is complete open CMD and enter the following two lines of command:
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg
set Path= C:\Program Files\OpenSSL-Win64\bin
If you change the installation path, you need to change the command above
Then we reopen CMD and type openssl version
to query the version.
The version is displayed correctly, indicating that the installation was successful!
Convert PFX format
Next, we switch the working path of CMD to the directory where PFX certificates are stored. And execute the following commands in order:
$ openssl pkcs12 -in [证书文件.pfx] -nocerts -out keyfile-encrypted.key
Then you will be asked to enter the password for the PFX certificate. and the PEM pass phrase. just enter the same password for both.
If the above command gives an error, it is because the openssl version is too new and you need to add a -legacy
parameter at the end.
$ openssl pkcs12 -in [证书文件.pfx] -nocerts -out keyfile-encrypted.key -legacy
Then enter the following command to decrypt the key file and enter the password:
$ openssl rsa -in keyfil-encrypted.key -out keyfile-decrypted.key
Finally, we’ll generate the certificate file:
$ openssl pkcs12 -in [证书文件.pfx] -clcerts -nokeys -out certificate.pem
If an error is reported still add the parameter -legacy
at the end.
$ openssl pkcs12 -in [证书文件.pfx] -clcerts -nokeys -out certificate.pem -legacy
SSL Renewal
This gives us two files:
- Certificate:certificate.pem
- Key:keyfile-decrypted.key
Next, replace the addresses of the files in the 3CX server with these two files and restart the Nginx service.
- Windows:C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1
- Linux:/var/lib/3cxpbx/Bin/nginx/conf/Instance1
If the phone is registered with TLS, you need to copy the certificate content into the 3CX Management Console -> Security -> Secure SIP.