diff --git a/apps/emqx_bridge/src/emqx_bridge_app.erl b/apps/emqx_bridge/src/emqx_bridge_app.erl
index b02fe2a9c..99b2c4a84 100644
--- a/apps/emqx_bridge/src/emqx_bridge_app.erl
+++ b/apps/emqx_bridge/src/emqx_bridge_app.erl
@@ -20,6 +20,7 @@
 -export([start/2, stop/1]).
 
 -export([ pre_config_update/3
+        , post_config_update/5
         ]).
 
 -define(TOP_LELVE_HDLR_PATH, (emqx_bridge:config_key_path())).
@@ -46,8 +47,18 @@ pre_config_update(_, {_Oper, _, _}, undefined) ->
 pre_config_update(_, {Oper, _Type, _Name}, OldConfig) ->
     %% to save the 'enable' to the config files
     {ok, OldConfig#{<<"enable">> => operation_to_enable(Oper)}};
-pre_config_update(_, Conf, _OldConfig) when is_map(Conf) ->
-    {ok, Conf}.
+pre_config_update(Path, Conf, _OldConfig) when is_map(Conf) ->
+    case emqx_connector_ssl:convert_certs(filename:join(Path), Conf) of
+        {error, Reason} ->
+            {error, Reason};
+        {ok, ConfNew} ->
+            {ok, ConfNew}
+    end.
+
+post_config_update(Path, '$remove', _, OldConf, _AppEnvs) ->
+    _ = emqx_connector_ssl:clear_certs(filename:join(Path), OldConf);
+post_config_update(_Path, _Req, _, _OldConf, _AppEnvs) ->
+    ok.
 
 %% internal functions
 operation_to_enable(disable) -> false;
diff --git a/apps/emqx_connector/src/emqx_connector.erl b/apps/emqx_connector/src/emqx_connector.erl
index 16684466f..0e17971e1 100644
--- a/apps/emqx_connector/src/emqx_connector.erl
+++ b/apps/emqx_connector/src/emqx_connector.erl
@@ -15,7 +15,10 @@
 %%--------------------------------------------------------------------
 -module(emqx_connector).
 
--export([config_key_path/0]).
+-export([ config_key_path/0
+        , pre_config_update/3
+        , post_config_update/5
+        ]).
 
 -export([ parse_connector_id/1
         , connector_id/2
@@ -31,20 +34,26 @@
         , delete/2
         ]).
 
--export([ post_config_update/5
-        ]).
-
 config_key_path() ->
     [connectors].
 
+pre_config_update(Path, Conf, _OldConfig) when is_map(Conf) ->
+    case emqx_connector_ssl:convert_certs(filename:join(Path), Conf) of
+        {error, Reason} ->
+            {error, Reason};
+        {ok, ConfNew} ->
+            {ok, ConfNew}
+    end.
+
 -dialyzer([{nowarn_function, [post_config_update/5]}, error_handling]).
-post_config_update([connectors, Type, Name], '$remove', _, _OldConf, _AppEnvs) ->
+post_config_update([connectors, Type, Name] = Path, '$remove', _, OldConf, _AppEnvs) ->
     ConnId = connector_id(Type, Name),
     try foreach_linked_bridges(ConnId, fun(#{type := BType, name := BName}) ->
             throw({dependency_bridges_exist, emqx_bridge:bridge_id(BType, BName)})
         end)
     catch throw:Error -> {error, Error}
-    end;
+    end,
+    _ = emqx_connector_ssl:clear_certs(filename:join(Path), OldConf);
 post_config_update([connectors, Type, Name], _Req, NewConf, OldConf, _AppEnvs) ->
     ConnId = connector_id(Type, Name),
     foreach_linked_bridges(ConnId,
diff --git a/apps/emqx_resource/src/emqx_resource_ssl.erl b/apps/emqx_connector/src/emqx_connector_ssl.erl
similarity index 60%
rename from apps/emqx_resource/src/emqx_resource_ssl.erl
rename to apps/emqx_connector/src/emqx_connector_ssl.erl
index 9e3fe0456..07b12eea1 100644
--- a/apps/emqx_resource/src/emqx_resource_ssl.erl
+++ b/apps/emqx_connector/src/emqx_connector_ssl.erl
@@ -15,37 +15,36 @@
 %% limitations under the License.
 %%--------------------------------------------------------------------
 
--module(emqx_resource_ssl).
+-module(emqx_connector_ssl).
 
 -export([ convert_certs/2
-        , convert_certs/3
         , clear_certs/2
         ]).
 
-convert_certs(ResId, NewConfig) ->
-    convert_certs(ResId, NewConfig, #{}).
-
-convert_certs(ResId, NewConfig, OldConfig) ->
-    OldSSL = drop_invalid_certs(maps:get(ssl, OldConfig, undefined)),
-    NewSSL = drop_invalid_certs(maps:get(ssl, NewConfig, undefined)),
-    CertsDir = cert_dir(ResId),
-    case emqx_tls_lib:ensure_ssl_files(CertsDir, NewSSL) of
+convert_certs(RltvDir, NewConfig) ->
+    NewSSL = drop_invalid_certs(maps:get(<<"ssl">>, NewConfig, undefined)),
+    case emqx_tls_lib:ensure_ssl_files(RltvDir, NewSSL) of
         {ok, NewSSL1} ->
-            ok = emqx_tls_lib:delete_ssl_files(CertsDir, NewSSL1, OldSSL),
             {ok, new_ssl_config(NewConfig, NewSSL1)};
         {error, Reason} ->
             {error, {bad_ssl_config, Reason}}
     end.
 
-clear_certs(ResId, Config) ->
-    OldSSL = drop_invalid_certs(maps:get(ssl, Config, undefined)),
-    ok = emqx_tls_lib:delete_ssl_files(cert_dir(ResId), undefined, OldSSL).
-
-cert_dir(ResId) ->
-    filename:join(["resources", ResId]).
+clear_certs(RltvDir, Config) ->
+    OldSSL = drop_invalid_certs(map_get_oneof([<<"ssl">>, ssl], Config, undefined)),
+    ok = emqx_tls_lib:delete_ssl_files(RltvDir, undefined, OldSSL).
 
 new_ssl_config(Config, undefined) -> Config;
-new_ssl_config(Config, SSL) -> Config#{ssl => SSL}.
+new_ssl_config(Config, SSL) -> Config#{<<"ssl">> => SSL}.
 
 drop_invalid_certs(undefined) -> undefined;
 drop_invalid_certs(SSL) -> emqx_tls_lib:drop_invalid_certs(SSL).
+
+map_get_oneof([], _Map, Default) -> Default;
+map_get_oneof([Key | Keys], Map, Default) ->
+    case maps:find(Key, Map) of
+        error ->
+            map_get_oneof(Keys, Map, Default);
+        {ok, Value} ->
+            Value
+    end.
\ No newline at end of file
diff --git a/apps/emqx_resource/src/emqx_resource_instance.erl b/apps/emqx_resource/src/emqx_resource_instance.erl
index 352ddf247..60b2babe5 100644
--- a/apps/emqx_resource/src/emqx_resource_instance.erl
+++ b/apps/emqx_resource/src/emqx_resource_instance.erl
@@ -196,32 +196,14 @@ do_create(InstId, Group, ResourceType, Config, Opts) ->
         {ok, _, _} ->
             {ok, already_created};
         {error, not_found} ->
-            case emqx_resource_ssl:convert_certs(InstId, Config) of
-                {error, Reason} ->
-                    {error, Reason};
-                {ok, Config1} ->
-                    do_create2(InstId, Group, ResourceType, Config1, Opts)
-            end
+            ok = do_start(InstId, Group, ResourceType, Config, Opts),
+            ok = emqx_plugin_libs_metrics:create_metrics(resource_metrics, InstId,
+                    [matched, success, failed, exception], [matched]),
+            {ok, force_lookup(InstId)}
     end.
 
-do_create2(InstId, Group, ResourceType, Config, Opts) ->
-    ok = do_start(InstId, Group, ResourceType, Config, Opts),
-    ok = emqx_plugin_libs_metrics:create_metrics(resource_metrics, InstId,
-            [matched, success, failed, exception], [matched]),
-    {ok, force_lookup(InstId)}.
-
 do_create_dry_run(ResourceType, Config) ->
     InstId = make_test_id(),
-    case emqx_resource_ssl:convert_certs(InstId, Config) of
-        {error, Reason} ->
-            {error, Reason};
-        {ok, Config1} ->
-            Result = do_create_dry_run2(InstId, ResourceType, Config1),
-            _ = emqx_resource_ssl:clear_certs(InstId, Config1),
-            Result
-    end.
-
-do_create_dry_run2(InstId, ResourceType, Config) ->
     case emqx_resource:call_start(InstId, ResourceType, Config) of
         {ok, ResourceState} ->
             case emqx_resource:call_health_check(InstId, ResourceType, ResourceState) of
@@ -245,9 +227,8 @@ do_remove(Instance) ->
 do_remove(InstId, ClearMetrics) when is_binary(InstId) ->
     do_with_group_and_instance_data(InstId, fun do_remove/3, [ClearMetrics]).
 
-do_remove(Group, #{id := InstId, config := Config} = Data, ClearMetrics) ->
+do_remove(Group, #{id := InstId} = Data, ClearMetrics) ->
     _ = do_stop(Group, Data),
-    _ = emqx_resource_ssl:clear_certs(InstId, Config),
     ets:delete(emqx_resource_instance, InstId),
     case ClearMetrics of
         true -> ok = emqx_plugin_libs_metrics:clear_metrics(resource_metrics, InstId);