instagram arrow-down
Kalle Lilja

Archives

Install PFX certificate – UniFi Controller

Existing CA approved certificate

Securing the UniFi Controller web interface with an SSL certificate (HTTPS) is not only important, it’s mandatory in my eyes, especially if the controller is publicly available for use via the app or directly by customers/site owners.
I’ve previously discussed how to solve this using Let’s Encrypt in another blog post but there are surely scenarios where a CA approved custom certificate is preferred over Let’s Encrypt, for example;
When an existing SAN- or Wildcard certificate is already purchased and deployed and a HTTPS standardization is needed. a premium certificate option to embed the company name in the omnibox might be in use for example.
When an internal CA is to be used.
The UniFi controller lacks the network access needed for Let’s Encrypt to operate.

There are of course ways to install an existing .pfx certificate exported from say a Windows IIS server and have UniFi present and operate using it.
If an existing .pfx is not available the certificate in it’s entirety can be configured, generated and exported on the server itself using for example openssl. Read more here.

What you’ll need

– SSH Access to the Ubuntu/Debian based machine running UniFi Controller
– The .pfx exported version of the certificate to be used – Use password ‘aircontrolenterprise’

Setup

I’ve created and distributed the installation procedure/command reference over on GitHub as well as below.

First of all you’ll need to transfer your exported .pfx to the /tmp directory of the server, this is easily done via SFTP using for example WinSCP on Windows. Read more about WinSCP commands here, no fear, it’s fully usable with a nice commander style GUI as well.

Secondly the certificate alias will have to be found using the keytool command.

Next up, backup the existing keystore incase a rollback is needed.

Lastly the installation and activation, we’ll create a brand new keystore to replace the now removed as of backing up containing the certificate from the .pfx file using the default configured settings expected from UniFi at startup;
Keystore: /var/lib/unifi/keystore
Alias: unifi
Password: aircontrolenterprise
This will let the Controller start up as per usual, but instead of loading the default self-signed certificate it’ll load the installed exported certificate.

Rollback

Rollback in case of error is done by restoring the keystore.orig to keystore and restarting the service again.