mislav · August 27, 2024 01:55
diff --git a/unifi-controller-cert.sh b/unifi-controller-cert.sh
 hostname="MYHOST" # set this to where the Unifi Controller is served from

 root_ca="rootCA.pem"
 root_ca_key="rootCA.key"
 cert="unifi.pem"
 cert_key="unifi.key"

 # these don't really matter
 csr="unifi.csr"
 pfx_password="whatever"

 # Generate a root certificate if none exist yet. You should later import this into the macOS Keychain and
 # mark it as "always trusted".
 if [ ! -f "$root_ca" ]; then
  openssl genrsa -des3 -out "$root_ca_key" -passout pass:root 2048
  openssl req -x509 -new -nodes -key "$root_ca_key" -passin pass:root -sha256 -days 3650 -out "$root_ca" -config <( cat <<EOF
 [req]
 prompt = no
 distinguished_name = dn
 [dn]
 CN = unifi
 EOF
  )
 fi

 # Generate an intermediate signing request
 openssl req -new -sha256 -nodes -out "$csr" -newkey rsa:2048 -keyout "$cert_key" -config <( cat <<EOF
 [req]
 default_bits = 2048
 prompt = no
 default_md = sha256
 distinguished_name = dn
 [dn]
 C=NL
 ST=Nord Holland
 L=Amsterdam
 O=Unifi
 OU=Unifi Controller
 [email protected]
 CN = unifi
 EOF
 )

 # Generate a certificate signed by the root certificate
 openssl x509 -req -in "$csr" -CA "$root_ca" -CAkey "$root_ca_key" -passin pass:root -CAcreateserial -out "$cert" -days 390 -sha256 -extfile <( cat <<EOF
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = $hostname
 EOF
 )

 rm "$csr"

 # Generate a PKCS#12 store of certificate, private key, and root certificate
 openssl pkcs12 -export \
  -in "$cert" -inkey "$cert_key" -CAfile "$root_ca" -caname root \
  -out unifi.pfx -passout pass:"$pfx_password" \
  -name unifi

 # This converts a PKCS12 store to Java KeyStore file named "keystore" with password "aircontrolenterprise"
 keytool -importkeystore \
  -srckeystore unifi.pfx -srcstoretype PKCS12 -srcstorepass "$pfx_password" \
  -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore keystore \
  -alias unifi

 # Note: "Keytool" is a Java utility and might not be immediately available on your OS. However, it's present in
 # the Unifi Controller docker container, and I was able to access it by opening a shell in the container:
 # > docker-compose run unifi-controller /bin/bash

 # Now move `keystore` to an appropriate location. Within the `lscr.io/linuxserver/unifi-controller:latest` container,
 # that location is `/config/data/keystore`. (It's fine to overwrite the old keystore.)
	hostname="MYHOST" # set this to where the Unifi Controller is served from

	root_ca="rootCA.pem"
	root_ca_key="rootCA.key"
	cert="unifi.pem"
	cert_key="unifi.key"

	# these don't really matter
	csr="unifi.csr"
	pfx_password="whatever"

	# Generate a root certificate if none exist yet. You should later import this into the macOS Keychain and
	# mark it as "always trusted".
	if [ ! -f "$root_ca" ]; then
	openssl genrsa -des3 -out "$root_ca_key" -passout pass:root 2048
	openssl req -x509 -new -nodes -key "$root_ca_key" -passin pass:root -sha256 -days 3650 -out "$root_ca" -config <( cat <<EOF
	[req]
	prompt = no
	distinguished_name = dn
	[dn]
	CN = unifi
	EOF
	)
	fi

	# Generate an intermediate signing request
	openssl req -new -sha256 -nodes -out "$csr" -newkey rsa:2048 -keyout "$cert_key" -config <( cat <<EOF
	[req]
	default_bits = 2048
	prompt = no
	default_md = sha256
	distinguished_name = dn
	[dn]
	C=NL
	ST=Nord Holland
	L=Amsterdam
	O=Unifi
	OU=Unifi Controller
	[email protected]
	CN = unifi
	EOF
	)

	# Generate a certificate signed by the root certificate
	openssl x509 -req -in "$csr" -CA "$root_ca" -CAkey "$root_ca_key" -passin pass:root -CAcreateserial -out "$cert" -days 390 -sha256 -extfile <( cat <<EOF
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = $hostname
	EOF
	)

	rm "$csr"

	# Generate a PKCS#12 store of certificate, private key, and root certificate
	openssl pkcs12 -export \
	-in "$cert" -inkey "$cert_key" -CAfile "$root_ca" -caname root \
	-out unifi.pfx -passout pass:"$pfx_password" \
	-name unifi

	# This converts a PKCS12 store to Java KeyStore file named "keystore" with password "aircontrolenterprise"
	keytool -importkeystore \
	-srckeystore unifi.pfx -srcstoretype PKCS12 -srcstorepass "$pfx_password" \
	-deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore keystore \
	-alias unifi

	# Note: "Keytool" is a Java utility and might not be immediately available on your OS. However, it's present in
	# the Unifi Controller docker container, and I was able to access it by opening a shell in the container:
	# > docker-compose run unifi-controller /bin/bash

	# Now move `keystore` to an appropriate location. Within the `lscr.io/linuxserver/unifi-controller:latest` container,
	# that location is `/config/data/keystore`. (It's fine to overwrite the old keystore.)