As a lot of users, I got tired of the SSL certificate error page every time I visit the controller’s page.
Unfortunately, Ubiquiti doesn’t provide an “easy” upload functionality through the web interface.
But they do provide some documentation, which seems easy and quick enough. Or so I thought.
You can find the relevant documentation on the Ubiquiti online documentation page.
To import an SSL certificate, you simply need to use the java ace.jar located under the /usr/lib/unifi directory.
java -jar lib/ace.jar import_cert <signed_cert> [<other_intermediate_root_certs>...]
But this does not work for me. After running the above command, I got an error that the certificate could not be imported into the keystore.
Using the keytool
During my search for a solution, I came across a Git repository of Steve Jenkins. This repository includes a shell script for installing SSL certificates on the Unifi controller.
Being cautious using scripts from the internet, I searched for the commands that actually import the certificate.
I noticed the script uses the keytool utility to handle the SSL certificate import.
Before messing around with it, I first tried out and see what the keytool actually does.
In short, keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associate certificates for self-authentication.
It also allows users to cache the public keys (in the form of certificates) of their communicating peers.
First, lets check and see what is stored inside the keystore.
You can do this by using the following command:
sudo keytool -list -keystore /var/lib/unifi/keystore
The keytool asks you to enter a password. The default keystore password is aircontrolenterprise .
Once you enter the password, you see a list of all the certificates currently present in the keystore.
Digging deeper into the script, you’ll see that you first need tot delete the cerficiate with the “unifi” alias before you import the new one. You can delete it using the following command:
sudo keytool -delete -alias unifi -keystore /var/lib/unifi/keystore
After that you can run the keytool utility again to confirm that the certificate is no longer present.
Import your SSL certificate
The next step is to import the new SSL certificate. You can do this by running the following commands:
openssl pkcs12 -export -in <certificate.crt> -inkey <certificate_key.key> -out <tempfile> -passout pass:aircontrolenterprise -name unifi
keytool -importkeystore -srckeystore <tempfile> -srcstoretype pkcs12 -srcstorepass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise -deststoretype pkcs12 -alias unifi -trustcacerts
However, this did not do the tick for me. When importing the SSL certificate, I got the following error:
Keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
If you also get a similar error, you can try running the commands as follow:
openssl pkcs12 -export -nodes -out <tempfile> -inkey <certificate_key.key> -in <certificate.crt> -certfile <bundle.ca-bundle> -passout pass:aircontrolenterprise -name unifi
keytool -importkeystore -srckeystore <tempfile> -srcstorepass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise -alias unifi -trustcacerts
This creates a new keystore in JKS format. Unifi does not have a problem with it, but when you list the certificates, you’ll see a warning like this:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /var/lib/unifi/keystore -destkeystore /var/lib/unifi/keystore -deststoretype pkcs12".
In addition, if you want to convert the keystore to the PKCS12 format, you can back it up and run the displayed command:
keytool -importkeystore -srckeystore /var/lib/unifi/keystore -destkeystore /var/lib/unifi/keystore -deststoretype pkcs12
The only thing left to do is to restart the Unifi controller and you are good to go!
systemctl restart unifi