Ubiquiti Controller with a Custom SSL Certificate

From Wikistix

By default, the unifi Ubiquiti Controller, ships with a self-signed SSL certificate, which generates a warning in Google Chrome, and requires a few extra clicks to log in. However, this certificate can be replaced quite easily.

The following steps were performed on a NetBSD system with net/unifi installed from pkgsrc, with a certificate obtained from Let's Encrypt. This is easily adapted into a script triggered during Let's Encrypt certificate renewal.

Convert certificate into the right format:

/usr/bin/openssl pkcs12 -export -in /usr/pkg/etc/httpd/www.stix.id.au/fullchain.pem \
    -inkey /usr/pkg/etc/httpd/www.stix.id.au/privkey.pem \
    -out /tmp/pkcs.p12 -passout pass:aircontrolenterprise -name unifi

Install into the java keystore:

/usr/pkg/java/openjdk8/bin/keytool -importkeystore \
    -deststorepass aircontrolenterprise \
    -destkeypass aircontrolenterprise \
    -destkeystore  /usr/pkg/unifi/data/keystore \
    -srckeystore /tmp/pkcs.p12 \
    -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi -noprompt
/bin/rm /tmp/pkcs.p12

Restart unifi to reload the keys:

/etc/rc.d/unifi restart

See Also