Skip to main content

Unifi CloudKey certificates with own CA

Importing SSL certificates with own, self-signed CA according to Ubiquity docs fails. It have to be done manually.

REMARK: After upgrade all changes will be lost.

You should consider making backup, really

Unifi Controller

Generate certificates, e.g. with easy-rsa. Pack certs into pkcs12 and upload them to the controller:

openssl pkcs12 -export -in unifi.crt -inkey unifi.key -out unifi.p12 -name unifi -CAfile ca.crt -caname root
scp unifi.p12 unifi:/tmp/

Connect with SSH to Unifi Cloud Key and rewrite keystore:

mv /etc/ssl/private/unifi.keystore.jks /tmp/keystore.bak
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /etc/ssl/private/unifi.keystore.jks -srckeystore /tmp/unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi

Next, restart unifi controller:

service unifi restart

CloudKey

Just copy your certs over default nginx ones:

scp unifi.crt unifi:/etc/ssl/private/cloudkey.crt
scp unifi.key unifi:/etc/ssl/private/cloudkey.key

Connect with SSH to Unifi Cloud Key and restart nginx server:

service nginx restart

Notes

  • Certs with keystore are placed in /etc/ssl/private/

  • /usr/lib/unifi/data/keystore links to /etc/ssl/private/unifi.keystore.jks and it's rewritten automatically

  • In /etc/ssl/private/cert.tar there is backup of self signed certs and keystore

I did it long time ago and I've doropped this idea eventually. It worked for me on Unifi Controller v5.9.32 and CloudKey firmware v0.12.1. YMMV.