Skip to content

Instantly share code, notes, and snippets.

@hdml
Last active June 9, 2024 16:57
Show Gist options
  • Save hdml/8a446dc1b0ad4f94b7a17a67a33286ab to your computer and use it in GitHub Desktop.
Save hdml/8a446dc1b0ad4f94b7a17a67a33286ab to your computer and use it in GitHub Desktop.
Installing a custom SSL cert on a Unifi Controller

##Installing a custom SSL cert on Unifi Controller

Requirements:

  • Domain certificate (*.crt)
  • Certificate key (*.key)
  • Intermediate certificate from CA (*.crt, *.pem)
  • Permissions to restart the unifi service
  • Debian or Ubuntu Unifi Controller installation

###Backup your current keystore

cd /var/lib/unifi
sudo cp keystore keystore.bkp

###Create pkcs12 certificate

openssl pkcs12 -export -in domain_certificate.crt -inkey domain_certificate_priv.key -out domain_certificate.p12 -name unifi -CAfile "intermediate_cert_from_CA.crt" -caname root -password pass:aircontrolenterprise

Copy your new cert to /etc/ssl/private

sudo cp domain_certificate.p12 /etc/ssl/private

###Replace certificate in keystore with newly created cert

sudo keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/domain_certificate.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi

When prompted to replace the current certificate, say yes.

###Restart the Unifi Controller service

sudo /etc/init.d/unifi restart
@rwjack
Copy link

rwjack commented Feb 22, 2023

I've been running their default cert for 2 years now... Thanks for this!

@syntetikvision
Copy link

Thank you for this. I was struggling with the change of the certificate. I was using keytool but with different approach and always get an error. This works like a charm. Thank you so much.

@rolson1011
Copy link

Can confirm this method works. Updated from an older 7.2.x release to 8.0.26 and lost my SSL certs

@mike240se
Copy link

I get

Existing entry alias unifi exists, overwrite? [no]:  yes
keytool error: java.lang.Exception: Alias <unifi> does not exist```

@undermind
Copy link

undermind commented May 16, 2024

Or short way with certbot

openssl pkey -in /etc/letsencrypt/live/domain.tld/privkey.pem -traditional -out transformed-private.key
java -jar lib/ace.jar import_key_cert transformed-private.key /etc/letsencrypt/live/domain.tld/fullchain.pem
service unifi restart

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment