It is up to you to generate valid certificates for domains `your_instance.tld` and `room.your_instance.tld`.You can use any [method supported by Prosody](https://prosody.im/doc/certificates).
You must then place these certificates in a folder that will be accessible to the `peertube` user, and specify this folder in the plugin setting "Certificate folder".
If you want to use the ProsodyCtl utility to import certificates, this utility is available (once Peertube is started) using the following command (adapting the path to your Peertube data folder, and replacing "xxx" with the arguments you wish to pass to prosodyctl): `sudo -u peertube /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosodyAppImage/squashfs-root/AppRun prosodyctl --config /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/prosody.cfg.lua xxx`
We assume here that your Peertube installation is "classic" (no use of Docker), and that the certificates are generated by letsencrypt, using the certbot tool.
First of all, we'll have to create a certificate for the subdomain `room.your_instance.tld` : this is the uri of the MUC (XMPP chat rooms) component.Even if the connections are made on `your_instance.tld`, we will need a valid certificate for this subdomain.
So start by setting up a DNS entry for `room.your_instance.tld`, which points to your server.You can use a CNAME entry (or an A entry and a AAAA entry).
Users can generate long term tokens to connect to the chat. These tokens can for example be used to include the chat in OBS web docks. Check <a href="https://livingston.frama.io/peertube-plugin-livechat/documentation/user/obs" target="_blank">the documentation</a> for more information. You can disable this feature by checking this setting.
Next, we'll use nginx (already installed for your Peertube) to generate the certbot certificate.We will create a new site. In the file `/etc/nginx/site-available/room.peertube`, add: