ThingWorx WebSocket-based Edge MicroServer (WS EMS) and Lua Script Resource (LSR) > Configuring Secure Connections (SSL/TLS and FIPS Mode) > Migrating from the WS EMS/LSR Built-in Certificates
  
Migrating from the WS EMS/LSR Built-in Certificates
The 5.4.5 release of the WS EMS and Lua Script Resource (LSR) removes the built-in key and certificate that has existed in previous releases. This change means that you will no longer be able to use the use_default_certificate option in the WS EMS, or the script_resource_use_default_certificate option in the LSR.
Both the WS EMS and LSR have built-in web servers that support communicating over TLS. You are now required to provide your own certificate and private key file when the WS EMS and Lua ScriptResource are configured to communicate over TLS. This next two sections summarize the configuration changes for the WS EMS and the LSR. For detailed information on creating a private key or a certificate, using a certificate chain between the WS EMS and the LSR, or using a Certificate Authority List for validation, see Using a Custom Certificate and Private Key.
Configuration Changes for WS EMS (config.json)
The use_default_certificate option has been removed from the http_server group in config.json. You will now need to add three configuration options when running with SSL
certificate — Path to a PEM encoded certificate file. This can be a self-signed certificate or a certificate chain, meaning it contains the end entity (that is, the server) certificate, followed by n number of Intermediate Certificate Authority certificates.
private_key — Path to a PEM encoded, encrypted private key file.
passphrase — The passphrase to decrypt the private key. This field should be encrypted(see Encrypting Application Keys, Passwords, and Passphrases)
Below is an example configuration
Example 8. Changes to config.json

"http_server": {
"host": "localhost",
"port": 8443,
"ssl": true,
"certificate": "/path/to/certificate/file",
"private_key": "/path/to/private/key",
"passphrase": "some_encrypted_passphrase"
},
Configuration Changes to Lua ScriptResource (config.lua)
The changes for config.lua are:
script_resource_certificate_chain—Path to a PEM encoded certificate file. This can be a self-signed certificate or a certificate chain, meaning it contains the end entity (that is, the server) certificate, followed by n number of Intermediate Certificate Authority certificates.
script_resource_private_key—Path to a PEM encoded, encrypted private key file.
script_resource_passphrase—The passphrase to decrypt the private key. This field should be encrypted. For details on how to encrypt the passphrase, see Encrypting Application Keys, Passwords, and Passphrases.
Below is an example configuration
Example 9. Changes to config.lua

scripts.script_resource_host = "127.0.0.1"
scripts.script_resource_port = 8443
scripts.script_resource_ssl = true
scripts.script_resource_certificate_chain = "/path/to/certificate/file"
scripts.script_resource_private_key = "/path/to/private/key/file"
scripts.script_resource_passphrase = "some_encrypted_passphrase"