instagram arrow-down
Kalle Lilja

Archives

Install PFX certificate – UniFi Controller

Existing CA approved certificate

Securing the UniFi Controller web interface with an SSL certificate (HTTPS) is not only important, it’s mandatory in my eyes, especially if the controller is publicly available for use via the app or directly by customers/site owners.
I’ve previously discussed how to solve this using Let’s Encrypt in another blog post but there are surely scenarios where a CA approved custom certificate is preferred over Let’s Encrypt, for example;
When an existing SAN- or Wildcard certificate is already purchased and deployed and a HTTPS standardization is needed. a premium certificate option to embed the company name in the omnibox might be in use for example.
When an internal CA is to be used.
The UniFi controller lacks the network access needed for Let’s Encrypt to operate.

There are of course ways to install an existing .pfx certificate exported from say a Windows IIS server and have UniFi present and operate using it.
If an existing .pfx is not available the certificate in it’s entirety can be configured, generated and exported on the server itself using for example openssl. Read more here.

What you’ll need

– SSH Access to the Ubuntu/Debian based machine running UniFi Controller
– The .pfx exported version of the certificate to be used – Use password ‘aircontrolenterprise’

Setup

I’ve created and distributed the installation procedure/command reference over on GitHub as well as below.

First of all you’ll need to transfer your exported .pfx to the /tmp directory of the server, this is easily done via SFTP using for example WinSCP on Windows. Read more about WinSCP commands here, no fear, it’s fully usable with a nice commander style GUI as well.

# Copy C:/path/to/certificate.pfx to ./tmp on server unifi.server.com as username with password P@ssw0rd
.\WinSCP.com /command "open sftp://username:P@ssw0rd@unifi.server.com/" "put C:/path/to/certificate.pfx ./tmp"

Secondly the certificate alias will have to be found using the keytool command.

# .pfx information
sudo keytool -list -keystore /tmp/certificate.pfx -storetype pkcs12
# Provide the password used when exporting the certificate.
 aircontrolenterprise
# Note the Alias shown
# eg. le-d88c06cd-7919-04f4-bfd1-51eebd0ea8ba

Next up, backup the existing keystore incase a rollback is needed.

# Backup UniFi keystore to /var/lib/unifi/keystore.orig
sudo mv /var/lib/unifi/keystore /var/lib/unifi/keystore.orig

Lastly the installation and activation, we’ll create a brand new keystore to replace the now removed as of backing up containing the certificate from the .pfx file using the default configured settings expected from UniFi at startup;
Keystore: /var/lib/unifi/keystore
Alias: unifi
Password: aircontrolenterprise
This will let the Controller start up as per usual, but instead of loading the default self-signed certificate it’ll load the installed exported certificate.

# Navigate to UniFi install folder
sudo su -
cd /var/lib/unifi/
# Create a new keystore
sudo keytool -importkeystore -srcstoretype pkcs12 -srcalias le-d88c06cd-7919-04f4-bfd1-51eebd0ea8ba -srckeystore /tmp/certificate.pfx -keystore keystore -destalias unifi
# use -srcalias from above
# use -srckeystore from above
 # Password to open .pfx
 aircontrolenterprise
 # Set password to open keystore
 aircontrolenterprise
 aircontrolenterprise
# Restart UniFi service for changes to take effect
sudo service unifi restart

Rollback

Rollback in case of error is done by restoring the keystore.orig to keystore and restarting the service again.

# Rollback
sudo mv /var/lib/unifi/keystore /var/lib/unifi/keystore.error
sudo mv /var/lib/unifi/keystore.orig /var/lib/unifi/keystore
# Restart UniFi service for changes to take effect
sudo service unifi restart