You are here: Integration > Reverse proxy and TURN server > Replacing the default SSL certificate

Replacing the default SSL certificate on the reverse proxy

If you want to replace the built-in X.509 SSL certificate on the reverse proxy with a custom-created certificate, the following procedure should be performed:

  1. Create a text file called pexip.pem which contains the following items in this specific order:

    • server certificate
    • server private key (which must be unencrypted)
    • one or more intermediate CA certificates (a server certificate will normally, but not always, have one or more intermediate CA certificates)

    Note that the contents MUST be in this specific order for the certificate to work properly.

    The first section with the server certificate should contain a single entry starting and ending with the following:

    ---- BEGIN CERTIFICATE ---- / ---- END CERTIFICATE ----

    The second section with the server private key should contain a single entry starting and ending with the following (although it may instead show 'BEGIN RSA PRIVATE KEY'):

    ---- BEGIN PRIVATE KEY ---- / ---- END PRIVATE KEY ----

    Finally, there will normally be one or more intermediate CA certificates, where each intermediate has a section starting and ending with:

    ---- BEGIN CERTIFICATE ---- / ---- END CERTIFICATE ----

  2. Using the SCP file transfer protocol, upload the pexip.pem file to the /tmp folder of the Reverse Proxy and TURN Server. This can be done using for instance WinSCP (www.winscp.net) or the ’scp’ command-line utility for Linux/Mac OS X, using a command such as:

    scp pexip.pem pexip@198.51.100.130:/tmp

  3. After the pexip.pem file has been transferred into the /tmp folder of the reverse proxy, connect over SSH to the reverse proxy, log in as user pexip and run the following commands, one at a time:

    sudo cp /etc/nginx/ssl/pexip.pem /etc/nginx/ssl/pexip.pem.backup

    sudo mv /tmp/pexip.pem /etc/nginx/ssl/pexip.pem

    sudo service nginx restart

    Note that sudo service nginx restart will restart the reverse proxy application and therefore interrupt the service briefly.

After these commands have been run, the reverse proxy should now be operational and using the new certificate.

If any problem occurs with the replaced certificate, the previous certificate can be restored using the following commands:

sudo cp /etc/nginx/ssl/pexip.pem.backup /etc/nginx/ssl/pexip.pem

sudo service nginx restart