Securing the UniFi Controller web interface with an SSL certificate (HTTPS) is not only important, it’s mandatory in my eyes, especially if the controller is publicly available for use via the app or directly by customers/site owners.
I’ve previously discussed how to solve this using Let’s Encrypt in another blog post but there are surely scenarios where a CA approved custom certificate is preferred over Let’s Encrypt, for example;
When an existing SAN- or Wildcard certificate is already purchased and deployed and a HTTPS standardization is needed. a premium certificate option to embed the company name in the omnibox might be in use for example.
When an internal CA is to be used.
The UniFi controller lacks the network access needed for Let’s Encrypt to operate.
There are of course ways to install an existing .pfx certificate exported from say a Windows IIS server and have UniFi present and operate using it.
If an existing .pfx is not available the certificate in it’s entirety can be configured, generated and exported on the server itself using for example openssl. Read more here.
What you’ll need
– SSH Access to the Ubuntu/Debian based machine running UniFi Controller
– The .pfx exported version of the certificate to be used – Use password ‘aircontrolenterprise’
Setup
I’ve created and distributed the installation procedure/command reference over on GitHub as well as below.
First of all you’ll need to transfer your exported .pfx to the /tmp directory of the server, this is easily done via SFTP using for example WinSCP on Windows. Read more about WinSCP commands here, no fear, it’s fully usable with a nice commander style GUI as well.
# Copy C:/path/to/certificate.pfx to ./tmp on server unifi.server.com as username with password P@ssw0rd .\WinSCP.com /command "open sftp://username:P@ssw0rd@unifi.server.com/" "put C:/path/to/certificate.pfx ./tmp"
Secondly the certificate alias will have to be found using the keytool
command.
# .pfx information sudo keytool -list -keystore /tmp/certificate.pfx -storetype pkcs12 # Provide the password used when exporting the certificate. aircontrolenterprise # Note the Alias shown # eg. le-d88c06cd-7919-04f4-bfd1-51eebd0ea8ba
Next up, backup the existing keystore incase a rollback is needed.
# Backup UniFi keystore to /var/lib/unifi/keystore.orig sudo mv /var/lib/unifi/keystore /var/lib/unifi/keystore.orig
Lastly the installation and activation, we’ll create a brand new keystore to replace the now removed as of backing up containing the certificate from the .pfx file using the default configured settings expected from UniFi at startup;
Keystore: /var/lib/unifi/keystore
Alias: unifi
Password: aircontrolenterprise
This will let the Controller start up as per usual, but instead of loading the default self-signed certificate it’ll load the installed exported certificate.
# Navigate to UniFi install folder sudo su - cd /var/lib/unifi/ # Create a new keystore sudo keytool -importkeystore -srcstoretype pkcs12 -srcalias le-d88c06cd-7919-04f4-bfd1-51eebd0ea8ba -srckeystore /tmp/certificate.pfx -keystore keystore -destalias unifi # use -srcalias from above # use -srckeystore from above # Password to open .pfx aircontrolenterprise # Set password to open keystore aircontrolenterprise aircontrolenterprise # Restart UniFi service for changes to take effect sudo service unifi restart
Rollback
Rollback in case of error is done by restoring the keystore.orig to keystore and restarting the service again.
# Rollback sudo mv /var/lib/unifi/keystore /var/lib/unifi/keystore.error sudo mv /var/lib/unifi/keystore.orig /var/lib/unifi/keystore # Restart UniFi service for changes to take effect sudo service unifi restart