Supporting SSL for development on Rocket.Chat

When working with mobile apps, it is required that your server supports SSL.

Rocket.Chat is a "middle-tier application server." It does not handle SSL itself. However, Rocket.Chat works well with several industrial-grade, battle-tested reverse proxy servers you can configure to handle SSL.

Your Rocket.Chat server may be publicly accessible on the internet or not. Let's look at how to configure SSL for both scenarios.

The Rocket.Chat server is publicly accessible on the internet

If your server is publicly accessible, it is recommended that you use a service like Let's Encrypt to obtain your SSL certificates.

For Ubuntu users, it can be configured automatically using Snaps.

To learn more about configuring your choice of SSL Reverse proxy servers, see Configuring SSL Reverse Proxy.

The Rocket.Chat server is not accessible on the internet

If your server is not accessible on the internet, you need to provide self-signed certificates to configure SSL on the server.

To create your SSL certificates, you must generate a self-signed root certificate. The steps highlighted below is adapted from the resource " Self Signed Certificate with Custom Root CA.".

Create Root CA

Create Root Key

The root key plays a crucial role in signing certificate requests. It is essential to keep it secure, as possessing it grants the ability to sign certificates on your behalf.

openssl genrsa -des3 -out Rocket.Chat-root.key 4096

If you want a non-password-protected key, remove the -des3 option.

Create and self-sign the Root Certificate

Create the root certificate with the root key and distribute it to all computers that should trust you.

openssl req -x509 -new -nodes -key Rocket.Chat-root.key -sha256 -days 1024 -out Rocket.Chat-root.crt

It is not recommended that you distribute this root certificate in production. A breach of the above-generated key will open every device that trusts your root certificate to potential security threats.

Create an SSL certificate

Create the Certificate Key

openssl genrsa -out 2048

Replace with your IP address. Bonjour local domains also work!

Create the Certificate Signing Request

While creating the certificate signing request, it is important to specify the Common Name providing the IP address or URL for the service; otherwise, the certificate cannot be verified.

openssl req -new -key -out

Generate the SSL certificate

Here, we are using the CSR, along with the Rocket.Chat-root CA.

openssl x509 -req -in -CA Rocket.Chat-root.crt -CAkey Rocket.Chat-root.key -CAcreateserial -out -days 365 -sha256

Configuring SSL for Rocket.Chat

The and files generated above are used as the certificate and the private key to configure SSL.

To learn more about configuring your choice of SSL Reverse proxy servers, see Configuring SSL Reverse Proxy.

Trusting Certificate Authority

All the devices that need to communicate with the server during development need to trust the root certificate generated earlier (Rocket.Chat-root.crt).

Once the root certificate has been installed successfully, the device can access Rocket.Chat over SSL.


If your device is not able to connect over SSL, ensure that the URL has https:// explicitly typed out before it.

Last updated

Rocket.Chat versions receive support for six months after release.