I’ve just replaced the certificate on my Unifi controller due to the Google Chrome warnings about certificates with no subject alternative name extensions. I had to use my strongest Google-Fu and search for “Unifi Controller Import Externally Generated Certificate”. It was pretty hard finding all the details I needed so this is my gift to you, everything you need to know for importing an externally generated certificate for the Unifi Controller in one blog post. Generating a CSR on the Unifi controller does not support SAN (Subject Alternative Name) extensions so you need to generate the CSR externally, have it signed by a CA then import back into the controller in PKCS12 format.
Step 1)
First generate a keypair and csr to include subject alternative name using this method that I’ve documented in a previous post:
Using OpenSSL to generate CSR’s with Subject Alternative Name
Step 2)
Have a CA sign the CSR then generate a PKCS12 as below obviously replacing the values for your own:
$ sudo openssl pkcs12 -export -out unifi.pfx -inkey unifi-corp-netassured-co.uk.key -in unifi.cer Enter Export Password: Verifying - Enter Export Password:
Step 3)
Import the PKCS12 into the Java keystore on the VM hosting your controller:
$ sudo service unifi stop $ sudo keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore unifi.pfx -srcstoretype PKCS12 -srcstorepass password -noprompt Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled $ sudo service unifi start
Test the new certificate
Now attempt a new connection to your controller and hopefully see a nice green secure padlock 🙂
