Linkedin-in Youtube Facebook-f

SSL Certificate Manual Update for 3CX FQDNs

SSL Certificate Manual Update for 3CX FQDNs

SSL Certificate Manual Update for 3CX FQDNs

Author: Kevin Attard Compagno, Partner Communications Manager, 3CX
Posted on: February 24th, 2026

Encrypted connectivity is critical for any 3CX deployment. Normally, SSL certificates for 3CX-provided FQDNs are automatically renewed to maintain security. However, if the auto-renewal fails, you will need to manually update the certificate to restore secure connectivity.

Why Auto-Renewal May Fail

Common reasons for auto-renewal failures include:

  • Firewall restrictions blocking the 3CX server from reaching the renewal service

  • Internet connectivity issues during the renewal attempt

Before proceeding, confirm whether your certificate has expired.

Confirming Certificate Expiry

On Windows PowerShell:

$uri = “https://examplepbx.3cx.com.cy”
$req = [Net.HttpWebRequest]::Create($uri)
try { $req.GetResponse() | Out-Null } catch {}
$req.ServicePoint.Certificate.GetExpirationDateString()

On Linux command line:

URI=“https://examplepbx.3cx.com.cy”
curl -Ikv $URI 2>&1 | grep “expire”

If the output shows a past date, the certificate has expired and requires renewal.

Manually Triggering SSL Certificate Renewal

  1. Set the temporary parameter in 3CX Admin Console

    • Navigate to: Admin → Advanced → Parameters

    • Search for the custom parameter TEMPORARY_SELF_SIGNED_CERTIFICATE_GENERATED and set its value to 1

    • If the parameter does not exist, click Add to create it

  2. Run the renewal procedure

    On Windows (run CMD as Administrator):

    “C:\Program Files\3CX Phone System\Bin\PbxConfigTool.exe” -renew-certificates

    On Linux:

    sudo -u phonesystem /usr/lib/3cxpbx/PbxConfigTool -renew-certificates

  3. Wait for the renewal to complete

    • Approximately 5 minutes is a safe wait time

  4. Restart the Nginx service

    On Windows:

    sc stop “3CX PhoneSystem Nginx Server” && timeout /nobreak /t 5
    sc start “3CX PhoneSystem Nginx Server”

    On Linux:

    sudo service nginx restart

Verifying the Renewal

After completing the steps, confirm that the certificate has been updated using the same commands described in the “Confirming Certificate Expiry” section. The expiry date should reflect the new certificate.

By following these steps, you ensure that your 3CX system maintains encrypted, secure connectivity—even if the automatic renewal process fails.

Linkedin-in Youtube Facebook-f
  • 03304 004 334
  • info@qisltd.co.uk
  • Quantus Information Services Limited
    Unit 5, Minster Court
    Tuscam Way
    Camberley
    Surrey
    GU15 3YY

Pages

Our Services

Subscribe to our Newsletter

Facebook-f Twitter Linkedin-in