From 30cc1b437b83431b2942dc349a85dc4897101291 Mon Sep 17 00:00:00 2001
From: wh1te909 <7434746+wh1te909@users.noreply.github.com>
Date: Tue, 17 Sep 2024 22:26:05 +0000
Subject: [PATCH] add docs for using own cert for existing installs

---
 docs/functions/settings_override.md | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/docs/functions/settings_override.md b/docs/functions/settings_override.md
index d5faa6b8..c7d9ba74 100644
--- a/docs/functions/settings_override.md
+++ b/docs/functions/settings_override.md
@@ -20,10 +20,29 @@ Change `(days=30)` to whatever you prefer. Then run `sudo systemctl restart rmm.
 
 ### Using your own wildcard SSL cert
 
-This is only supported during initial install, not after you've already installed.
+#### Before Install
 
 Follow the instructions in the [install guide](../install_server.md#step-5-run-the-install-script) for the `--use-own-cert` install flag.
 
+#### Existing Install
+
+1. Append the following two variables to `/rmm/api/tacticalrmm/tacticalrmm/local_settings.py`, replacing the paths with the actual locations of your certificate and private key. The certificate must include the full chain:
+```python
+CERT_FILE = "/path/to/your/fullchain.pem"
+KEY_FILE = "/path/to/your/privkey.pem"
+```
+
+2. Ensure that both files are readable by the `tactical` Linux user:
+```bash
+sudo chown tactical:tactical /path/to/your/fullchain.pem /path/to/your/privkey.pem
+sudo chmod 440 /path/to/your/fullchain.pem /path/to/your/privkey.pem
+```
+
+3. Update all instances of `ssl_certificate` and `ssl_certificate_key` in the three Nginx configuration files located in `/etc/nginx/sites-available` to point to your certificate and private key paths.
+
+4. Restart the services: `sudo systemctl restart nginx meshcentral rmm daphne`
+
+
 ### Use NATS Standard instead of NATS websocket
 
 Prior to TRMM v0.14.0 (released 7/7/2022), agents NATS traffic connected to the TRMM server on public port 4222.