signalwire · lurimax-north · Oct 3, 2025
@@ -130,36 +130,61 @@ In order for the new certificate to take effect (the only way for FreeSWITCH to
 
 **Note:** The name given for -cn and -alt should be the same as the DNS name of your freeswitch installation and used as the registrar name on the phone (at least on Polycoms). This is required for Eyebeam (and probably Pangolin too).
 
+
 #####  Review your certificate 
 
 You can review your certificate details with the command:
 
  openssl x509 -noout -inform pem -text -in /usr/local/freeswitch/conf/ssl/agent.pem
 
+#### Step 2 (Alternate) - Using a pre-generated certificate and key
+
+If you have your certificate generated by a different service, eg lets encrypt, you have to create your own certificate file to use. This file must be named `tls.pem` and must consist 
+of both your private key and certificate in the following format:
+
+```
+    -----BEGIN PRIVATE KEY-----
+    <privkey.pem>
+    -----END PRIVATE KEY-----
+    -----BEGIN CERTIFICATE-----
+    <fullchain.pem>
+    -----END CERTIFICATE-----
+```
+
+
+
 #### Step 3 - Sofia Profile Configuration
 
 Freeswitch requires only one file for acting as a TLS server and thats the agent.pem file. This contains the certificate and key it will use for listening. **Note it is extremely important that your agent.pem (and optionally cacert.pem) have read permissions for the user freeswitch will run as.** That means if you use -u freeswitch you want to "chmod 640 agent.pem cacert.pem" and "chown root.freeswitch agent.pem cacert.pem". Incorrect permissions will not allow the TLS listener to spin up properly. On your vars.xml:
 
-ATTENTION: TLS is disabled by default; set internal\_ssl\_enable and/or external\_ssl\_enable to "true" to enable.
-
-  \<!--
-      SIP and TLS settings.
-  -->
-  \<X-PRE-PROCESS cmd="set" data="sip_tls_version=sslv23"/>
-
-  \<!-- Internal SIP Profile -->
-  \<X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>
-  \<X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/>
-  \<X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/>
-  \<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=false"/>
-  \<X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$$\{base_dir}/conf/ssl"/>
-
-  \<!-- External SIP Profile -->
-  \<X-PRE-PROCESS cmd="set" data="external_auth_calls=false"/>
-  \<X-PRE-PROCESS cmd="set" data="external_sip_port=5080"/>
-  \<X-PRE-PROCESS cmd="set" data="external_tls_port=5081"/>
-  \<X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
-  \<X-PRE-PROCESS cmd="set" data="external_ssl_dir=$$\{base_dir}/conf/ssl"/>
+ATTENTION: TLS is disabled by default; set `internal_ssl_enable` and/or `external_ssl_enable` to "true" to enable.
+
+```xml
+  <!-- SIP and TLS settings -->
+  <X-PRE-PROCESS cmd="set" data="sip_tls_version=sslv23"/>
+
+  <!-- Internal SIP Profile -->
+  <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>
+  <X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/>
+  <X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/>
+  <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=false"/>
+  <X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${base_dir}/conf/ssl"/>
+
+  <!-- External SIP Profile -->
+  <X-PRE-PROCESS cmd="set" data="external_auth_calls=false"/>
+  <X-PRE-PROCESS cmd="set" data="external_sip_port=5080"/>
+  <X-PRE-PROCESS cmd="set" data="external_tls_port=5081"/>
+  <X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
+  <X-PRE-PROCESS cmd="set" data="external_ssl_dir=$${base_dir}/conf/ssl"/>
+```
+
+  If creating your own SIP profile, you need to set the configraution value 
+
+  ```xml
+  <param name="tls-cert-dir" value="/path/to/certificates"/>
+  ```
+
+
 
 ####  Step 4 Client Configuration