# Admin Guide: SSL for Web Server and WebSocket

This guide explains how to turn on SSL using the existing config files. No code changes are needed.

## What you need

– The certificate file: `*.crt`

– The private key file: `*.key`

– The public hostname users will open in the browser, for example `app.example.com`

## Step 1: Put the files on the server

– Copy the `crt` and `key` files to a secure folder on the server.

– Make sure the service account can read both files.

– Do not store the private key in source control or a public folder.

## Step 2: Update the web server settings

Edit [`config.toml`] and set:

“`toml

[services]

webserver_scheme = “https”

webserver_certfile = “C:/path/to/certificate.crt”

webserver_keyfile = “C:/path/to/private.key”

“`

## Step 3: Update the WebSocket settings

In the same file, set:

“`toml

[services]

websocket_scheme = “wss”

websocket_certfile = “C:/path/to/certificate.crt”

websocket_keyfile = “C:/path/to/private.key”

“`

## Step 4: Restart the services

– Save the config file.

– Restart the server.

– Restart the WebSocket service.

## Step 5: Test in a browser

– Open the app with `https://your-hostname`.

– Confirm the browser shows a valid secure connection.

– Open the browser dev tools and confirm the app connects to the WebSocket service with `wss://`.

## Quick checks if it fails

– The hostname in the certificate does not match the URL.

– The `.crt` or `.key` path is wrong.

– The service account cannot read the key file.

– `webserver_scheme` is still `http`.

– `websocket_scheme` is still `http`.

– The services were not restarted after the change.

## Simple rule

– Web server: `https://`

– WebSocket: `wss://`

– Same certificate and key can be used for both if they cover the same hostname.