Ubiquiti Unifi Controller SSL Certificate creation process

Ubiquiti has a little article on the site how to add yout own ssl certificate to your Unifi controller. But they made it a bit to complex πŸ˜‰ Read article.

First let me explain what kind of certificate the Unifi controller wants to have:

  1. The controller works with a keystore file. In this file the whole certificate chain and key file must be included;
  2. The keystore file must have password: aircontrolenterprise (can be changed);
  3. The keystore file must have alias: unifi.

The keystore file is located in: /usr/lib/unifi/data (Linux) or %UserProfile%/Ubiquiti Unifi (Windows).

Open the current keystore file in “Keystore Explorer“. If you can’t open it with password: aircontrolenterprise then you need to make sure the controller is using this password. Follow these steps to do this:

  1. Rename current keystore file so the controller can’t use it anymore (or just delete it);
  2. Edit /usr/lib/unifi/data/system.properties and add line: app.keystore.pass=aircontrolenterprise
    Note: You could also choose your own password here;
  3. Restart the controller and there will be a new keystore file generated;
  4. try to open this file in keystore explorer with the correct password.

If you can open the file with the given password we need to replace the current self-signed certificate with your own certificate.

First create 1 cer file which holds the certificate and intermediate certificate(s). Open a new text file in notepad, or your favorite text editor. Paste the certificate followed by the intermediate certificate(s). The file should look like this:

If you have more than 1 intermedate certificate just add them all. Start with your own SSL certificate and follow the chain up to the Root CA.

Note: You don’t have to provide the Root CA certificate as this should already be present on the endpoints connecting to your Unifi controller.

Now we need to create a PFX (PKCS12) file which holds the just created cer file and the key file. If you don’t have already please install openssl.

The command to create the PKCS12 file is: openssl pkcs12 -export -in <you_cer_file_with_the_chain>.cer -inkey <you_key_file>.key -out <name_it>.pfx

Choose you own password for this. This could be different than the password used in the Unifi controller.

Now switch back to keystore explore and delete the unifi entry.

Click: Tools –> Import Key Pair –> PKCS12. Locate the PFX file and give the password you gave during creation of the pfx file.

The Key Pair Alias should be: unifi

And provide the new password. This should be the password you have set in the Unifi controller (aircontrolenterprise).

Save the keystore file and copy it to the Unifi controller. Restart controller and you are good to go πŸ™‚

37 thoughts on “Ubiquiti Unifi Controller SSL Certificate creation process

    1. The .key file is part of your own certificate. It holds the private key of your certificate. This article does not descibe the process of creating a certificate signing request etc etc.

      1. Thanks for the Quick Reply. Your article got me 75% there. Where i got stuck was using openssl to generate the PFX file. After quite a few failed attempts and after banging my head on the wall for about 2 hrs, I ended up replacing your openssl steps with installing a cert on the server and then used windows to export and create the PFX. I then used Keystore explorer to import the PFX windows made into the keystore following the steps you outlined.

          1. Yep, since this work out to be an all GUI way of doing it, I should do a write up for the windows Controller installs that are out there.

          1. The certificate is a wildcard *.mydomain.it
            Do I have to create an ad hoc certificate for Unifi controller?

          2. Wildcard certificate are working fine (I’m using a wildcard as well) but your certificate must be correct. Can you provide the url to me? Then I will have a check. If you dont want to type it here you can email the url to jeroen@tielenconsultancy.nl. I dont need credentials, only the url is enough and I have a look what is wrong. πŸ˜‰

  1. Hi,

    Custom SSL works, but Cloudkey every few days replaces my SSL with self-signed one. Why? How to stop it? I have to upload keystore with custom ssl every few days, and then restart unifi service.

  2. I feel so close to figuring this issue out but keep hitting a snag. I created the certificates to be signed and got them signed by SSLs/Namechap, I can access the keystore, I got all my certs together in one file, but not exactly sure how to make or get my key file…. Should I extract it from the certificate I got back from SSLs? Only showing public key for that one.

    Got them all installed via Java but then get protocol error, so I’m trying this method hoping it will work.

    Thanks in advance!

  3. Hi,
    I wanted to inquire if you can tell me by following your steps from OP by deleting the keystore then it will recreate a new one. If the new one is recreated, will it have a new self signed time stamp?

    I have tried to post in ubnt forum: https://community.ubnt.com/t5/UniFi-Routing-Switching/SSL-Certificate-default-renewal-for-Unifi-Controller-UCK-gen1/m-p/2683881/highlight/true#M134172 but no one seems to be answering nor ubnt support to answer my question. They just said not supported.

    I understand that you don’t have UCK cloud key but wanted to see when the key is gone, will it generate a new fresh one and can be used right away. Not worrying about prompt as long the self signed certificate gets renewed.

    Thanks in advance!

      1. Jeroen,
        It worked :). Simple removal, restart and it will generate a new self signed key for another 10 years.

        I will play around later with a custom one.

        Cheers.

  4. Hello Jeroen,
    Maybe a trivial question, but please write if it’s possible.
    All devices on the network should have SSl certificates installed to browse the internet safely.
    Is it possible to install the certificate on a Unifi controller not to install on computers?
    I have UniFi Security Gateway pro-4 and two 24 port switches.
    Regards
    Christopher

    1. No. Internet is, by default, not safe. Certificates installed on the network will only say that those devices are who they say they are. Requested websites must have certificates installed (TLS certs).

      Best regards, Jeroen.

  5. Our CCTV server died and has been rebuilt but has a different name. I’ve been told by our web host that we need to re-key the certificate. I’ve downloaded and installed keystore explorer but there are no keyfiles in the location mentioned for Windows servers.
    To re-key the current cert I need to generate a CSR – is there a way to do this in Ubiquiti?
    Thanks in advance

    1. Hi Mark,

      Yes to re-key (create a new key-pair) to need to create a new csr. You can do this via multiple methods. I dont know is the ssl tools are present in a ubiquiti controller at the moment. Cant test it either as I switched over to Cloud Ket Gen2+.

      Best regards Jeroen.

      1. Hi Jeroen

        Did you get it to work on your Cloud Key Gen2 + ?
        I have install the SSL certificate and rebooted the key and USG Pro but I still only see the std. certificate called CloudKey. How do I change the std. certificate to the new one ?

        Best Regards
        Martin

        1. Hi Martin,

          I dont have the Cloud Key Gen2+ anymore. I switched over to an Unifi Dream Machine Pro. But this could be because you have the wrong type of key-pair. This should be a RSA key. Try to convert the key to RSA and try again.

          Best regards, Jeroen.

  6. Instructions were very straight-forward, but when I replace the original keystore with the modified one (containing my key/cert/int) on startup, that keystore file is overwritten with the self-signed certificate. Any thoughts?

  7. Wanted to say I just tried this process on controller ver 7.3.76 running on Ubuntu and the directions worked perfectly the first time.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top