Ubiquiti has a little article on the site how to add yout own ssl certificate to your Unifi controller. But they made it a bit to complex 😉 Read article.
First let me explain what kind of certificate the Unifi controller wants to have:
- The controller works with a keystore file. In this file the whole certificate chain and key file must be included;
- The keystore file must have password: aircontrolenterprise (can be changed);
- The keystore file must have alias: unifi.
The keystore file is located in: /usr/lib/unifi/data (Linux) or %UserProfile%/Ubiquiti Unifi (Windows).
Open the current keystore file in “Keystore Explorer“. If you can’t open it with password: aircontrolenterprise then you need to make sure the controller is using this password. Follow these steps to do this:
- Rename current keystore file so the controller can’t use it anymore (or just delete it);
- Edit /usr/lib/unifi/data/system.properties and add line: app.keystore.pass=aircontrolenterprise
Note: You could also choose your own password here;
- Restart the controller and there will be a new keystore file generated;
- try to open this file in keystore explorer with the correct password.
If you can open the file with the given password we need to replace the current self-signed certificate with your own certificate.
First create 1 cer file which holds the certificate and intermediate certificate(s). Open a new text file in notepad, or your favorite text editor. Paste the certificate followed by the intermediate certificate(s). The file should look like this:
If you have more than 1 intermedate certificate just add them all. Start with your own SSL certificate and follow the chain up to the Root CA.
Note: You don’t have to provide the Root CA certificate as this should already be present on the endpoints connecting to your Unifi controller.
Now we need to create a PFX (PKCS12) file which holds the just created cer file and the key file. If you don’t have already please install openssl.
The command to create the PKCS12 file is: openssl pkcs12 -export -in <you_cer_file_with_the_chain>.cer -inkey <you_key_file>.key -out <name_it>.pfx
Choose you own password for this. This could be different than the password used in the Unifi controller.
Now switch back to keystore explore and delete the unifi entry.
Click: Tools –> Import Key Pair –> PKCS12. Locate the PFX file and give the password you gave during creation of the pfx file.
The Key Pair Alias should be: unifi
And provide the new password. This should be the password you have set in the Unifi controller (aircontrolenterprise).
Save the keystore file and copy it to the Unifi controller. Restart controller and you are good to go 🙂