Replacing the default SSL certificate on the reverse proxy

For conferencing services, we recommend that you install your own SSL/TLS certificates on the reverse proxy and TURN server for maximum security. If you are using VMR Scheduling for Exchange you must install your own valid certificates.

To replace the built-in X.509 SSL certificate on the reverse proxy with a custom-created certificate:

  1. Create a text file called pexip.pem which contains the following items in this specific order:

    • server certificate
    • server private key (which must be unencrypted)
    • one or more intermediate CA certificates (a server certificate will normally, but not always, have one or more intermediate CA certificates)

    Note that the contents MUST be in this specific order for the certificate to work properly.

    The first section with the server certificate should contain a single entry starting and ending with the following:

    ---- BEGIN CERTIFICATE ---- / ---- END CERTIFICATE ----

    The second section with the server private key should contain a single entry starting and ending with the following (although it may instead show 'BEGIN RSA PRIVATE KEY'):

    ---- BEGIN PRIVATE KEY ---- / ---- END PRIVATE KEY ----

    Finally, there will normally be one or more intermediate CA certificates, where each intermediate has a section starting and ending with:

    ---- BEGIN CERTIFICATE ---- / ---- END CERTIFICATE ----

  2. Using the SCP file transfer protocol, upload the pexip.pem file to the /tmp folder of the Reverse Proxy and TURN Server. This can be done using for instance WinSCP (www.winscp.net) or the ’scp’ command-line utility for Linux/Mac OS X, using a command such as:

    scp pexip.pem pexip@198.51.100.130:/tmp

  3. After the pexip.pem file has been transferred into the /tmp folder of the reverse proxy, connect over SSH to the reverse proxy, log in as user pexip and run the following commands, one at a time:

    sudo cp /etc/nginx/ssl/pexip.pem /etc/nginx/ssl/pexip.pem.backup

    sudo mv /tmp/pexip.pem /etc/nginx/ssl/pexip.pem

    sudo systemctl restart nginx

    Note that sudo service nginx restart will restart the reverse proxy application and therefore interrupt the service briefly.

After these commands have been run, the reverse proxy should now be operational and using the new certificate.

If any problem occurs with the replaced certificate, the previous certificate can be restored using the following commands:

sudo cp /etc/nginx/ssl/pexip.pem.backup /etc/nginx/ssl/pexip.pem

sudo systemctl restart nginx

If you rerun the installation wizard you are given the option Do you want to regenerate a new SSL certificate?. Ensure that you answer "no" to this option if you want to preserve your own certificate.