Installing a custom SSL cert on a Unifi Controller

custom_ssl_unifi_controller.md

##Installing a custom SSL cert on Unifi Controller

Requirements:

• Domain certificate (*.crt)
• Certificate key (*.key)
• Intermediate certificate from CA (*.crt, *.pem)
• Permissions to restart the unifi service
• Debian or Ubuntu Unifi Controller installation

###Backup your current keystore

cd /var/lib/unifi
sudo cp keystore keystore.bkp

###Create pkcs12 certificate

openssl pkcs12 -export -in domain_certificate.crt -inkey domain_certificate_priv.key -out domain_certificate.p12 -name unifi -CAfile "intermediate_cert_from_CA.crt" -caname root -password pass:aircontrolenterprise

Copy your new cert to /etc/ssl/private

sudo cp domain_certificate.p12 /etc/ssl/private

###Replace certificate in keystore with newly created cert

sudo keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/domain_certificate.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi

When prompted to replace the current certificate, say yes.

###Restart the Unifi Controller service

sudo /etc/init.d/unifi restart

I've been running their default cert for 2 years now... Thanks for this!

Thank you for this. I was struggling with the change of the certificate. I was using keytool but with different approach and always get an error. This works like a charm. Thank you so much.

Can confirm this method works. Updated from an older 7.2.x release to 8.0.26 and lost my SSL certs

I get

Existing entry alias unifi exists, overwrite? [no]:  yes
keytool error: java.lang.Exception: Alias <unifi> does not exist```

Or short way with certbot

openssl pkey -in /etc/letsencrypt/live/domain.tld/privkey.pem -traditional -out transformed-private.key
java -jar lib/ace.jar import_key_cert transformed-private.key /etc/letsencrypt/live/domain.tld/fullchain.pem
service unifi restart