mislav/unifi-controller-cert.sh

## unifi-controller-cert.sh
hostname="MYHOST" # set this to where the Unifi Controller is served from

root_ca="rootCA.pem"
root_ca_key="rootCA.key"
cert="unifi.pem"
cert_key="unifi.key"

# these don't really matter
csr="unifi.csr"
pfx_password="whatever"

# Generate a root certificate if none exist yet. You should later import this into the macOS Keychain and
# mark it as "always trusted".
if [ ! -f "$root_ca" ]; then
  openssl genrsa -des3 -out "$root_ca_key" -passout pass:root 2048
  openssl req -x509 -new -nodes -key "$root_ca_key" -passin pass:root -sha256 -days 3650 -out "$root_ca" -config <( cat <<EOF
[req]
prompt = no
distinguished_name = dn
[dn]
CN = unifi
EOF
  )
fi

# Generate an intermediate signing request
openssl req -new -sha256 -nodes -out "$csr" -newkey rsa:2048 -keyout "$cert_key" -config <( cat <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=NL
ST=Nord Holland
L=Amsterdam
O=Unifi
OU=Unifi Controller
emailAddress=unifi@example.com
CN = unifi
EOF
)

# Generate a certificate signed by the root certificate
openssl x509 -req -in "$csr" -CA "$root_ca" -CAkey "$root_ca_key" -passin pass:root -CAcreateserial -out "$cert" -days 390 -sha256 -extfile <( cat <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $hostname
EOF
)

rm "$csr"

# Generate a PKCS#12 store of certificate, private key, and root certificate
openssl pkcs12 -export \
  -in "$cert" -inkey "$cert_key" -CAfile "$root_ca" -caname root \
  -out unifi.pfx -passout pass:"$pfx_password" \
  -name unifi

# This converts a PKCS12 store to Java KeyStore file named "keystore" with password "aircontrolenterprise"
keytool -importkeystore \
  -srckeystore unifi.pfx -srcstoretype PKCS12 -srcstorepass "$pfx_password" \
  -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore keystore \
  -alias unifi

# Note: "Keytool" is a Java utility and might not be immediately available on your OS. However, it's present in
# the Unifi Controller docker container, and I was able to access it by opening a shell in the container:
# > docker-compose run unifi-controller /bin/bash

# Now move `keystore` to an appropriate location. Within the `lscr.io/linuxserver/unifi-controller:latest` container,
# that location is `/config/data/keystore`. (It's fine to overwrite the old keystore.)
	hostname="MYHOST" # set this to where the Unifi Controller is served from

	root_ca="rootCA.pem"
	root_ca_key="rootCA.key"
	cert="unifi.pem"
	cert_key="unifi.key"

	# these don't really matter
	csr="unifi.csr"
	pfx_password="whatever"

	# Generate a root certificate if none exist yet. You should later import this into the macOS Keychain and
	# mark it as "always trusted".
	if [ ! -f "$root_ca" ]; then
	openssl genrsa -des3 -out "$root_ca_key" -passout pass:root 2048
	openssl req -x509 -new -nodes -key "$root_ca_key" -passin pass:root -sha256 -days 3650 -out "$root_ca" -config <( cat <<EOF
	[req]
	prompt = no
	distinguished_name = dn
	[dn]
	CN = unifi
	EOF
	)
	fi

	# Generate an intermediate signing request
	openssl req -new -sha256 -nodes -out "$csr" -newkey rsa:2048 -keyout "$cert_key" -config <( cat <<EOF
	[req]
	default_bits = 2048
	prompt = no
	default_md = sha256
	distinguished_name = dn
	[dn]
	C=NL
	ST=Nord Holland
	L=Amsterdam
	O=Unifi
	OU=Unifi Controller
	emailAddress=unifi@example.com
	CN = unifi
	EOF
	)

	# Generate a certificate signed by the root certificate
	openssl x509 -req -in "$csr" -CA "$root_ca" -CAkey "$root_ca_key" -passin pass:root -CAcreateserial -out "$cert" -days 390 -sha256 -extfile <( cat <<EOF
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = $hostname
	EOF
	)

	rm "$csr"

	# Generate a PKCS#12 store of certificate, private key, and root certificate
	openssl pkcs12 -export \
	-in "$cert" -inkey "$cert_key" -CAfile "$root_ca" -caname root \
	-out unifi.pfx -passout pass:"$pfx_password" \
	-name unifi

	# This converts a PKCS12 store to Java KeyStore file named "keystore" with password "aircontrolenterprise"
	keytool -importkeystore \
	-srckeystore unifi.pfx -srcstoretype PKCS12 -srcstorepass "$pfx_password" \
	-deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore keystore \
	-alias unifi

	# Note: "Keytool" is a Java utility and might not be immediately available on your OS. However, it's present in
	# the Unifi Controller docker container, and I was able to access it by opening a shell in the container:
	# > docker-compose run unifi-controller /bin/bash

	# Now move `keystore` to an appropriate location. Within the `lscr.io/linuxserver/unifi-controller:latest` container,
	# that location is `/config/data/keystore`. (It's fine to overwrite the old keystore.)