Please reload


Please reload

How To: Replacing the default certificate

June 16, 2020

Some of our users prefer to use a certificate generated from their own organization. It increases the chain of trust, and it is easy for Pia Software to support this. We ship our product with a signed certificate from Let's Encrypt that automatically renews itself periodically.


The Flow Logs Viewer runs an nginx web server on top of Ubuntu. 


Digital Ocean provides a great tutorial on SSL Setup end-to-end in case you want to understand the steps in more detail:


Here are some abbreviated steps to help you modify our existing nginx installation with your own certificate:


Step 1:

If applicable, SCP your desired certificate onto the box:

$ scp *.pem ubuntu@<your public ip>:/tmp


Step 2:

SSH into the box:

$ ssh ubuntu@<your public ip>


Step 3:

Move the certificate into an appropriate location and change permissions on it:

$ sudo mkdir /etc/ssl/certs/

$ sudo mv /tmp/*.pem /etc/ssl/certs/

$ sudo chown -R root:root /etc/ssl/certs/
$ sudo chmod -R 600 /etc/ssl/certs/


Step 4:

Modify nginx.conf to point to your new certificates, taking a backup first:

$ sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

$ sudo vi /etc/nginx/nginx.conf


remove the following four lines:

ssl_certificate /etc/letsencrypt/live/; 
ssl_certificate_key /etc/letsencrypt/live/; 
include /etc/letsencrypt/options-ssl-nginx.conf; 
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 


If there is any confusion about the ssl_certificate and ssl_certificate_key , please see the link to Digital Ocean above to generate it.


Add these lines and insert the path to your certificate:

ssl_certificate /etc/ssl/certs/<path to your certificate>

ssl_certificate_key /etc/ssl/certs/<path to your certificate key file>

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;



Save and exit vi with:

ESC + :wq


Step 5:

Check the configuration file for errors:

$ sudo nginx -t


This will check the config file for errors and give you an opportunity to fix them before restarting nginx and potentially making content unavailable


Step 6:

Modify application.rb configuration file:

$ vi /home/ubuntu/flowlogviewer/current/config/application.rb

on line 29, change config.use_bundled_cert to:

config.use_bundled_cert = true


Save and exit vi with: ESC + :wq


Step 7:
Restart nginx and flowlogsviewer:

$ sudo systemctl restart nginx

$ sudo systemctl restart


Step 8:

Browse to your instance and verify proper certificate setup with your browser:


https://<your public ip>

Please reload

Recent Posts

Please reload

(804) 5050PIA

(804) 505-0742

  • Pia Software on LinkedIn
  • Pia Software on Twitter
  • PiaSoftware on Facebook

©2017 BY PIA SOFTWARE.  All rights reserved.