Requirements

  • Unifi Controller running on Linux
  • Windows Certificate Authority
  • Keystore Explorer
  • SSH Client
  • WinSCP

Windows CA

Certificate Template

Run certtmpl.msc to open certificate template management console

I am using customized template with the following settings:

  • General
    • Name: Custom Application
    • Template Name: CustomApplication
    • Validity: 2 years. This number is configurable
    • Renewal period: 6 weeks
    • Do NOT publish certificate in Active Directory
  • Compatibility
    • CA: 2008R2
    • Recipient: XP/2003
  • Request Handling
    • Purpose: Signature and Encryption
    • Allow private key to be exported
  • Cryptography
    • Algo: Determined by CSP
    • Min key size: 2048
    • Crypto provider: One of the following providers:
      • MS RSA SChannel
      • MS DH SChannel
  • Extension:
    • Application Policies
    • Basic Constraints
    • Certificate Template Information
    • Issuance Policies
    • Key Usage
      • Digital Signature
      • Signature is proof of origin
      • Allow key exchange only with key encryption
      • Make this extension critical
  • Security
    • As required

Request Certificate

Credit: Installing a custom SSL certificate on a UniFi Controller – Blinky’s Blog (cracknells.co.uk)

  1. Open Manage Computer Certificate management console
  2. In Personal > Certificate, make a request to abovementioned template
  3. Fill in with the following:
    • CN=unifi.example.org
    • OU=Dept
    • O=ExampleCompany
    • L=Town
    • S=State
    • C=SG
    • DNS
      • unifi.example.org
      • 172.16.0.2
    • IP (v4) = 172.16.0.2
  4. Once requested, Export the new certificate:
    • With private key
    • .PFX
      • Include all certificates in the certification path if possible
    • Encryption: TripeDES-SHA1
    • Set password as aircontrolenterprise
  5. From this point onwards, this cert will be called unifi_new_cert.pfx

Unifi Controller

Credit: Ubiquiti Unifi Controller SSL Certificate creation process – Tielen Consultancy (jeroentielen.nl)

Getting keystore file

  1. SSH into server ( in this case, we are using user1 )
  2. Login with su (root)
  3. Run the commands below
  4. Afterwards, copy this file using WinSCP
# Change to data folder
cd /usr/lib/unifi/data

# Make a backup copy
cp keystore keystore.bak

# Copy to home directory
cp keystore ~/keystore

# Change owner
chown user1:user1 ~/keystore

Opening keystore file

  1. On Windows machine, use KeyStore Explorer
  2. Open keystore file copied from section above
  3. Delete the existing key pair
  4. Click on Tools > Import key pair > PKCS12
  5. Locate the unifi_new_cert.pfx
  6. Enter password from section above (aircontrolenterprise)
  7. Key pair alias must be unifi
  8. Provide a new password (aircontrolenterprise)
  9. Save the keystore file

Upload keystore file

  1. Using WinSCP, copy the file back to server
  2. Run the following command (with root)
# change owner
chown unifi:unifi ~/keystore

# copy file
cp ~/keystore /usr/lib/unifi/data/keystore

reboot
Last modified: 29 July 2023