diff --git a/conf/vanilla/sip_profiles/external.xml b/conf/vanilla/sip_profiles/external.xml
index 5070c87913..6edc878c06 100644
--- a/conf/vanilla/sip_profiles/external.xml
+++ b/conf/vanilla/sip_profiles/external.xml
@@ -78,7 +78,7 @@
     <!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
     <param name="tls-sip-port" value="$${external_tls_port}"/>
     <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
-    <param name="tls-cert-dir" value="$${external_ssl_dir}"/>
+    <!--<param name="tls-cert-dir" value=""/>-->
     <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
     <param name="tls-passphrase" value=""/>
     <!-- Verify the date on TLS certificates -->
diff --git a/conf/vanilla/sip_profiles/internal.xml b/conf/vanilla/sip_profiles/internal.xml
index 7beecbfeab..3665b91df0 100644
--- a/conf/vanilla/sip_profiles/internal.xml
+++ b/conf/vanilla/sip_profiles/internal.xml
@@ -188,7 +188,7 @@
     <!-- Port to listen on for TLS requests. (5061 will be used if unspecified) -->
     <param name="tls-sip-port" value="$${internal_tls_port}"/>
     <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
-    <param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
+    <!--<param name="tls-cert-dir" value=""/>-->
     <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
     <param name="tls-passphrase" value=""/>
     <!-- Verify the date on TLS certificates -->
diff --git a/conf/vanilla/vars.xml b/conf/vanilla/vars.xml
index 2792a567ce..c3f235bfe3 100644
--- a/conf/vanilla/vars.xml
+++ b/conf/vanilla/vars.xml
@@ -257,12 +257,12 @@
   <X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/>
   <X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/>
   <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=false"/>
-  <X-PRE-PROCESS cmd="set" data="internal_ssl_dir=$${base_dir}/conf/ssl"/>
+
 
   <!-- External SIP Profile -->
   <X-PRE-PROCESS cmd="set" data="external_auth_calls=false"/>
   <X-PRE-PROCESS cmd="set" data="external_sip_port=5080"/>
   <X-PRE-PROCESS cmd="set" data="external_tls_port=5081"/>
   <X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
-  <X-PRE-PROCESS cmd="set" data="external_ssl_dir=$${base_dir}/conf/ssl"/>
+
 </include>
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
index cd2ac9a9b6..60be814834 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
@@ -222,9 +222,13 @@ static int tport_tls_init_master(tport_primary_t *pri,
     ti.configured = path != tbf;
     ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
     ti.key = su_sprintf(autohome, "%s/%s", path, "agent.pem");
+	if (access(ti.key, R_OK) != 0) ti.key = NULL;
+    if (!ti.key) ti.key = su_sprintf(autohome, "%s/%s", path, "tls.pem");
     ti.passphrase = su_strdup(autohome, passphrase);
     ti.cert = ti.key;
     ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
+	if (access(ti.CAfile, R_OK) != 0) ti.CAfile = NULL;
+    if (!ti.CAfile) ti.CAfile = su_sprintf(autohome, "%s/%s", path, "tls.pem");
     ti.version = tls_version;
     ti.timeout = tls_timeout;
     ti.CApath = su_strdup(autohome, path);
diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index c543bb8314..24f91ad51c 100644
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -3643,6 +3643,7 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 					profile->mflags = MFLAG_REFER | MFLAG_REGISTER;
 					profile->server_rport_level = 1;
 					profile->client_rport_level = 1;
+					profile->tls_cert_dir = SWITCH_GLOBAL_dirs.certs_dir;
 					sofia_set_pflag(profile, PFLAG_DISABLE_100REL);
 					profile->auto_restart = 1;
 					sofia_set_media_flag(profile, SCMF_AUTOFIX_TIMING);
@@ -4503,13 +4504,13 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 						} else {
 							profile->tls_sip_port = (switch_port_t) atoi(val);
 						}
-					} else if (!strcasecmp(var, "tls-cert-dir")) {
+					} else if (!strcasecmp(var, "tls-cert-dir") && !zstr(val)) {
 						profile->tls_cert_dir = switch_core_strdup(profile->pool, val);
-					} else if (!strcasecmp(var, "tls-passphrase")) {
+					} else if (!strcasecmp(var, "tls-passphrase") && !zstr(val)) {
 						profile->tls_passphrase = switch_core_strdup(profile->pool, val);
-					} else if (!strcasecmp(var, "tls-verify-in-subjects")) {
+					} else if (!strcasecmp(var, "tls-verify-in-subjects") && !zstr(val)) {
 						profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
-					} else if (!strcasecmp(var, "tls-version")) {
+					} else if (!strcasecmp(var, "tls-version") && !zstr(val)) {
 
 						if (!strcasecmp(val, "tlsv1")) {
 							profile->tls_version = 1;
@@ -4671,10 +4672,33 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 
 				config_sofia_profile_urls(profile);
 
-				if (!profile->tls_cert_dir) {
-					profile->tls_cert_dir = switch_core_sprintf(profile->pool, "%s/ssl", SWITCH_GLOBAL_dirs.conf_dir);
+				if (profile->tls_cert_dir) {
+					if (profile->wss_ip) {
+						char *key, *cert;
+						key  = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.key");
+						if (switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS) key = NULL;
+						cert = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.crt");
+						if (switch_file_exists(cert, profile->pool) != SWITCH_STATUS_SUCCESS) cert = NULL;
+						if ( !key || !cert) {
+							key  = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "wss.pem");
+							if ( switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS ) {
+								switch_core_gen_certs(key);
+							}
+						}
+					}
+					if (sofia_test_pflag(profile, PFLAG_TLS)) {
+						char *key = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "agent.pem");
+						char *ca  =  switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "cafile.pem");;
+						if (switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS) key = NULL;
+						if (switch_file_exists(ca, profile->pool) != SWITCH_STATUS_SUCCESS) ca = NULL;
+						if ( !key || !ca ) {
+							key  = switch_core_sprintf(profile->pool, "%s/%s", profile->tls_cert_dir, "tls.pem");
+							if ( switch_file_exists(key, profile->pool) != SWITCH_STATUS_SUCCESS ) {
+								switch_core_gen_certs(key);
+							}
+						}
+					}
 				}
-
 			}
 
 			if (profile) {
diff --git a/src/switch_core_cert.c b/src/switch_core_cert.c
index 4f52384e94..5a56746fa1 100644
--- a/src/switch_core_cert.c
+++ b/src/switch_core_cert.c
@@ -214,12 +214,31 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix)
 	EVP_PKEY *pkey = NULL;
 	char *rsa = NULL, *pvt = NULL;
 	FILE *fp;
+	char *pem = NULL;
 
-	pvt = switch_mprintf("%s%s%s.key", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
-	rsa = switch_mprintf("%s%s%s.crt", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
+	if (switch_stristr(".pem", prefix)) {
 
-	if (switch_file_exists(pvt, NULL) == SWITCH_STATUS_SUCCESS || switch_file_exists(rsa, NULL) == SWITCH_STATUS_SUCCESS) {
-		goto end;
+		if (switch_is_file_path(prefix)) {
+			pem = strdup(prefix);
+		} else {
+			pem = switch_mprintf("%s%s%s", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
+		}
+
+		if (switch_file_exists(pem, NULL) == SWITCH_STATUS_SUCCESS) {
+			goto end;
+		}
+	} else {
+		if (switch_is_file_path(prefix)) {
+			pvt = switch_mprintf("%s.key", prefix);
+			rsa = switch_mprintf("%s.crt", prefix);
+		} else {
+			pvt = switch_mprintf("%s%s%s.key", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
+			rsa = switch_mprintf("%s%s%s.crt", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
+		}
+
+		if (switch_file_exists(pvt, NULL) == SWITCH_STATUS_SUCCESS || switch_file_exists(rsa, NULL) == SWITCH_STATUS_SUCCESS) {
+			goto end;
+		}
 	}
 
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
@@ -231,18 +250,26 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix)
 	//RSA_print_fp(stdout, pkey->pkey.rsa, 0);
 	//X509_print_fp(stdout, x509);
 
+	if (pem) {
+		if ((fp = fopen(pem, "w"))) {
+			PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL);
+			PEM_write_X509(fp, x509);
+			fclose(fp);
+		}
 
-	if ((fp = fopen(pvt, "w"))) {
-		PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL);
-	}
+	} else {
+		if ((fp = fopen(pvt, "w"))) {
+			PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL);
+		}
 
-	fclose(fp);
+		fclose(fp);
 		
-	if ((fp = fopen(rsa, "w"))) {
-		PEM_write_X509(fp, x509);
-	}
+		if ((fp = fopen(rsa, "w"))) {
+			PEM_write_X509(fp, x509);
+		}
 
-	fclose(fp);
+		fclose(fp);
+	}
 
 	X509_free(x509);
 	EVP_PKEY_free(pkey);
@@ -260,6 +287,7 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix)
 
 	switch_safe_free(pvt);
 	switch_safe_free(rsa);
+	switch_safe_free(pem);
 
 	return(0);
 }