Replacing the default SSL certificate on the reverse proxy

For conferencing services, we recommend that you install your own SSL/TLS certificates on the reverse proxy for maximum security. If you are using VMR Scheduling for Exchange you must install your own certificates.

To replace the built-in X.509 SSL certificate on the reverse proxy with a custom-created certificate:

If you are using v5 (or earlier) of the OVA template, refer to the previous documentation for the appropriate instructions.

  1. Create a text file called pexip.pem which contains the following items in this specific order:

    • server certificate
    • server private key (which must be unencrypted)
    • one or more intermediate CA certificates (a server certificate will normally, but not always, have one or more intermediate CA certificates)

    Note that the contents MUST be in this specific order for the certificate to work properly.

    The first section with the server certificate should contain a single entry in the format:

    -----END CERTIFICATE-----

    The second section with the server private key should contain a single entry in the format (although it may instead show 'BEGIN RSA PRIVATE KEY'):

    -----BEGIN PRIVATE KEY-----
    <private key>
    -----END PRIVATE KEY-----

    Finally, there will normally be one or more intermediate CA certificates, where each intermediate has a section in the following format:

    -----END CERTIFICATE-----

  2. Using the SCP file transfer protocol, upload the pexip.pem file to the /tmp folder of the Reverse Proxy and TURN Server. This can be done using for instance WinSCP ( or the ’scp’ command-line utility for Linux/macOS, using a command such as:

    scp pexip.pem pexip@

  3. After the pexip.pem file has been transferred into the /tmp folder, connect over SSH to the reverse proxy, log in as user pexip and run the following commands, one at a time:

    sudo cp /etc/nginx/ssl/pexip.pem /etc/nginx/ssl/pexip.pem.backup

    sudo mv /tmp/pexip.pem /etc/nginx/ssl/pexip.pem

    sudo systemctl restart nginx

    Note that sudo systemctl restart nginx will restart the reverse proxy application and therefore interrupt the service briefly.

After these commands have been run, the reverse proxy should now be operational and using the new certificate.

If any problem occurs with the replaced certificate, the previous certificate can be restored using the following commands:

sudo cp /etc/nginx/ssl/pexip.pem.backup /etc/nginx/ssl/pexip.pem

sudo systemctl restart nginx

If you rerun the installation wizard you are given the option Do you want to regenerate a new SSL certificate? Ensure that you answer "no" to this option if you want to preserve your own certificate.