Introduction
This guide explains where to place TLS settings and certificates so NextGen can securely connect to Legacy over HTTPS.
Who this guide is for
Customers running Legacy + NextGen in the same environment.
Customers using custom instance names or custom hostnames.
Teams that want TLS verification enabled for internal Legacy/NextGen traffic.
What you need
Legacy hostname:
<legacy_hostname>(example:legacy.example.local)Legacy certificate file on host:
<legacy_cert_path_on_host>(example:/usr/local/teramind/conf/ssl/cert.crt)NextGen project path:
/usr/local/teramind/msp(usually/usr/local/teramind/msp)
Step 1: Copy Legacy certificate to NextGen storage
Copy the Legacy certificate (or issuing CA certificate) to the NextGen storage path on the host:
mkdir -p /usr/local/teramind/msp/storage/certs
cp <legacy_cert_path_on_host> /usr/local/teramind/msp/storage/certs/legacy-ca.crt
Replace <legacy_cert_path_on_host> with the actual file path.
After this step, the certificate path inside NextGen containers will be:
/storage/certs/legacy-ca.crt
Step 2: Set NextGen TLS variables in teramind.config
Open:
/usr/local/teramind/conf/teramind.config
Add (or update) these lines:
msp_v2_enable_internal_tls_check=true
sp_v2_node_extra_ca_certs=/storage/certs/legacy-ca.crt
Step 3: Apply the configuration changes
Apply the updated teramind.config so values are written into /usr/local/teramind/msp/.env:
sudo /usr/local/teramind/scripts/tm.pl -func nn
Then recreate NextGen backend services:
cd /usr/local/teramind/msp
docker compose up -d --force-recreate server-1 ws-1 export-server export-manager background-sync priority-background-sync background-event-sync mail-manager deployment-manager
Step 4: Verify
Use either of these simple product checks:
1. Sign in to NextGen. If sign-in works, Legacy/NextGen TLS communication is working.
2. If you do not want to sign out/in, open any BI dashboard. Before the certificate fix, BI widgets show errors; after the fix, widgets load normally.
Notes About SAN / Hostname
NextGen connects to Legacy over loopback (127.0.0.1).
The same Legacy certificate is used for both:
External Legacy HTTPS traffic (hostname-based), and
NextGen-to-Legacy loopback traffic.
Because of this, the Legacy certificate must include both SAN entries:
DNS:<legacy_hostname>IP:127.0.0.1
Troubleshooting
Certificate error persists: verify the certificate file exists at
/storage/certs/legacy-ca.crtinside NextGen containers.Hostname mismatch: verify SAN contains the exact hostname/IP used in your deployment.
Changes not applied: rerun your apply/reconfigure step and recreate NextGen backend services.
Security Recommendation
Keep TLS verification enabled and trust internal certificates via msp_v2_node_extra_ca_certs. Avoid disabling TLS checks.
