3

I want to replace the self signed Unifi certificate used for the web interface of the UniFi Network application / server v6.5 (on Ubuntu 18 Linux) with a signed (wildcard) certificate and private key I already have.

Where should I put the private key, where the cert and how do I configure the UniFi Network Application / Controller to use this cert?

I found some information but none of them worked for me or seemed to be ways to complicated.

Ludwig
  • 421
  • 4
  • 10

3 Answers3

3

Go to UniFi base folder

cd /usr/lib/unifi

Copy your private key file and the pem file (single file including the cert, intermediate ca cert and chain to the root if needed) to /usr/lib/unifi/

Convert your private key from PKCS#8 to PKCS#1 if necessary (when you get an error message like java.lang.IllegalStateException: private.key contains an artifact that is not a key pair: org.bouncycastle.asn1.pkcs.PrivateKeyInfo)

# OpenSSL 2:
openssl rsa -in private.key -out transformed-private.key

# OpenSSL 3:
openssl pkey -in private.key -traditional -out transformed-private.key

Stop the UniFi Network application

service unifi stop

Import cert and key to keystore

java -jar lib/ace.jar import_key_cert transformed-private.key certificate.pem

Optionally you can add a CA cert as an additional, last parameter (if it is not already included in the certificate.pem)

Start the UniFi Network application

service unifi start

Clean up and delete your cert and private key files.

That's it.

Ludwig
  • 421
  • 4
  • 10
0

This is exactly what I was looking for.

Additionally, if you are using an internal CA (As I am) you will need to also upload the CA certificate to the server and specify it at the end-

sudo java -jar lib/ace.jar import_key_cert transformed-private.key certificate.pem ca-certificate.pem
Mr.CityIT
  • 1
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jun 17 '22 at 07:27
0

This procedure works from a Windows client

You need two files (both in PEM format);

  • unifi-core.crt The certificate
  • unifi-core.keyYour private key

  1. Enable SSH on https://10.0.0.1/settings/system

  2. Connect and check existing files

From cmd.exe

ssh 10.15.15.1 -l root
cd /mnt/data/unifi-os/unifi-core/config/
ls -lh
  1. Upload the new cert and private key

From (another) cmd.exe

scp unifi-core.crt root@10.0.0.1:/mnt/data/unifi-os/unifi-core/config/unifi-core.crt
scp unifi-core.key root@10.0.0.1:/mnt/data/unifi-os/unifi-core/config/unifi-core.key
  1. Verify the new files and apply

From the existing SSH connection (step 2)

ls -lh
unifi-os restart
  1. Disable SSH https://10.0.0.1/settings/system
Henrik Høyer
  • 231
  • 2
  • 8