How to install a SSL Certificate on Unifi Cloud Key

This guide is for those who want to install an SSL certificate on their Unifi Cloud Key.
By default, the Cloud Key will use a self signed certificate, giving a rather annoying warning that the connection is insecure in your browser.

SSL Certificate is installed on a Cloud Key, with controller version 5.10.12

In order to import/edit our SSL certificate for Unifi Cloud Key, a few different programs must be used as mentioned below.

1. PuTTY https://www.putty.org/
2. Notepad++ https://notepad-plus-plus.org/download/v7.6.3.html
3. FileZilla, FlashFXP, WinSCP etc.
4. KeyStore Explorer (https://keystore-explorer.org/ )
5. Win64 OpenSSL v1.1.1a (https://slproweb.com/products/Win32OpenSSL.html)
6. 7zip https://www.7-zip.org/download.html

First, we must have purchased an SSL certificate, which can be purchased in several places on the web.
For example, mine is purchased at http://cheapsslshop.com for $ 8.95 approx. 58, – DKK. It is a Comodo Positive SSL which is absolutely in the cheap end, requires only domain validation.
Just remember to select an SSL certificate with 256-bit encryption along with the 2048-bit RSA key, which should be the default.Unifi controller works with a keystore file (unifi.keystore.jks) In this file, the entire certificate chain and the key file must be included.

Keystore file must have password: aircontrolenterprise
Keystore file must have alias: unifi
cert.tar – Contains the three files, shown below. During the boot process, a check will be made as to whether these files are out of sync.
cloudkey.crt – *.myDomain.dk certificate.
cloudkey.key – *. myDomain.dk key for certificate.
unifi.keystore.jks – .crt and .key combined together, for the Java certificate management.

In short, we must have created the following on the Cloud Key: (done via PuTTY)
cloudkey.crt
cloudkey.key
CSR (Certificate Signing Request)

Make a complete backup of your Cloud Key settings so you’re on the safe side if something goes wrong.

Connect to the Cloud Key via SFTP.
Backup the folder:
/etc/ssl/private/

And take a backup of the file system.properties
Location:  /usr/lib/unifi/data/system.properties

I’ve created three folders as shown here.
Remember to copy the file unifi.keystore.jks and system.properties to the Convert folder, as we will use these files later in this guide.

Backup SSL Cloud Key = Copy of /etc/ssl/private/ and the file/usr/lib/unifi/data/system.properties
Convert = Copy of unifi.keystore.jks samt system.properties
Upload to Cloud Key = Files to be uploaded to Cloud Key after files have been converted.

Since we have now taken a backup of all the files, you just have to delete all the contents in /etc/ssl/private/
Can be done either via PuTTY or via SFTP.

PuTTY

rm -f /etc/ssl/private/*

Or via SFTP


Open the file system.properties and add the line: app.keystore.pass = aircontrolenterprise
Upload/overwrite the file on the Cloud Key itself via SFTP so that it now contains:
app.keystore.pass = aircontrolenterprise


CSR – Certificate Signing Request. (Connect to Cloud Key via SSH, use PuTTY)

First we generate a new private key with the following command via PuTTY

openssl genrsa -out /etc/ssl/private/cloudkey.key 2048

Create a new CSR with the following command via PuTTY

openssl req -new -batch \
-subj "/C=DK/ST=DK/L=Denmark/O=myDomain.dk/OU=UniFi/CN=unifi.myDomain.dk/emailAddress=my@e-mail.dk" \
-key /etc/ssl/private/cloudkey.key \
-out /etc/ssl/private/cloudkey.csr

Remember to customize “CN =” (common name) so that it points to your domain, for example. unifi.myDomain.dk must of course be the same name as your SSL certificate issued/purchased for.

Now copy the two new cloudkey.key files and cloudkey.csr from the Cloud Key into the “Convert” folder

Issue the SSL certificate from your SSL provider.

All SSL providers will work the same way you use CSR to issue your certificate.
Open the cloudkey.csr file in notepad ++ as we need this to get our certificate issued at http://cheapsslshop.com

Remember to have an extra line after —– END CERTIFICATE REQUEST —– as shown below

Once the certificate is issued, you will receive an email either with a link or a zip file containing the certificate.

Take note of both Intermediate CA Certificate, as these will be used later in the guide.
Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
Intermediate CA Certificate – SectigoRSADomainValidationSecureServerCA.crt

Create a new * .CER file

Since we now have all the files to be able to move on, we must have created a * .cer file that contains the certificate itself (unifi.myDomain.dk) and the corresponding::
Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
Intermediate CA Certificate – SectigoRSADomainValidationSecureServerCA.crt
as mentioned earlier.

If you have more than one Intermediate CA certificate, just add them all. Start with your own SSL certificate and follow the chain up to Root CA.

Note: You do not need to enter the Root CA certificate.
Then copy the certificate and both Intermediate CA certificates so that the file cerfile.cer will look like the following:


The next step is to create a PFX file (PKCS12) that contains the newly created cerfile.cer and the keyfile cloudkey.key

Copy both cerfile.cer and cloudkey.key from the “Convert” folder to C:\Program Files\OpenSSL-Win64\bin

Run openssl.exe as an administrator, then run the following command
It is necessary to enter the command as you cannot insert text.
Remember to change the command if you have called your cerfile.cer something else.

openssl pkcs12 -export -in CerFile.cer -inkey cloudkey.key -out cloudkey.pfx

Choose your own password for ”Enter Export Password”. This can be different from the password used in the Unifi controller, it is entirely up to you.

Copy the file cloudkey.pfx
Over in the folder “Convert”

Then open the unifi.keystore.jks file via Keystore Explorer, enter the password: aircontrolenterprise
To open the file.

Then delete unifi as shown here:
Right-click and select “Delete”

Select ”Yes”

Select “Tools” from the menu, and then -> “Import Key Pair”

Then find cloudkey.pfx from the “Convert” folder
Select the format PKCS # 12

Enter the previous password you used to create the * .PFX file
As well as the location of the * .PFX file
Click on “Import”

Under “Enter Alias” type “unifi” as shown, finally click ok.

Enter the password: aircontrolenterprise
Click on “Ok”

The key is now correctly imported and there are very few things missing before we can start uploading files to our Cloud Key.

Save the unifi.keystore.jks file in folder ”Upload to Cloud Key”
Now copy cloudkey.key file from “Convert” to the ”Upload to Cloud Key” folder
Rename your purchased SSL certificate to cloudkey.crt and copy it into the “Upload to Cloud Key” folder

Save the unifi.keystore.jks file in folder ”Upload to Cloud Key”

Finally, the “Upload to Cloud Key” folder should look like this:

Select all three files
cloudkey.crt
cloudkey.key
unifi.keystore.jks


Right-click -> and add them as a file with extension tar, specify the name as cert.tar

Now upload all files to /etc/ssl/private/

Before we restart our Cloud Key, change the host name in the controller so the name matches your certificate.

Restart the Cloud Key, now your SSL certificate is installed.

Sådan installeres et SSL certifikat på en Unifi Cloud Key

Denne guide er for dem, som vil installere et SSL certifikat på deres Unifi Cloud Key.
Som standard vil Cloud Key’en benytte et self signed certifikat, hvilket giver en ret irriterende advarsel om at forbindelsen er usikker i ens browser.

SSL Certifikatet er installeret på en Cloud Key, med controller version 5.10.12

For at kunne importere/redigere vores SSL certifikat til Unifi Cloud Key, skal der benyttes et par forskellige programmer som nævnt forneden.

1. PuTTY https://www.putty.org/
2. Notepad++ https://notepad-plus-plus.org/download/v7.6.3.html
3. FileZilla, FlashFXP, WinSCP etc.
4. KeyStore Explorer (https://keystore-explorer.org/ )
5. Win64 OpenSSL v1.1.1a (https://slproweb.com/products/Win32OpenSSL.html)
6. 7zip https://www.7-zip.org/download.html

Først skal vi have købt et SSL-certifikat, hvilket kan købes flere forskellige steder på nettet.
Mit er f.eks. købt hos http://cheapsslshop.com til 8.95$ ca. 58,- DKK. der er tale om et Comodo Positive SSL hvilket er absolut i den helt billige ende, kræver kun domæne validering.
Husk blot at vælge et SSL certifikat med 256-bit kryptering sammen med 2048-bit RSA-nøgle, hvilket burde være standard.Unifi controlleren arbejder med en keystore fil (unifi.keystore.jks) I denne fil skal hele certifikatkæden samt nøglefilen medtages.

Keystore filen skal have adgangskode: aircontrolenterprise
Keystore filen skal have alias: unifi
cert.tar – Indeholder de tre filer, vist forneden. Under boot processen vil der køre et check om disse filer er ude af sync.
cloudkey.crt – *.mitDomæne.dk certifikat.
cloudkey.key – *. mitDomæne.dk nøgle for certifikat.
unifi.keystore.jks – .crt og .nøgle kombineret sammen, for Java certifikat management.

Kort sagt, skal vi have oprettet følgende på Cloud Key’en: (gøres via PuTTY)
cloudkey.crt
cloudkey.key
CSR (Certificate Signing Request)

Tag en komplet backup af dine indstillinger fra selve Cloud Key’en så du er på den sikre side, hvis noget skulle gå galt undervejs.

Opret forbindelse til Cloud Key´en via SFTP.
Tag en backup af mappen:
/etc/ssl/private/

Samt af filen system.properties
Placering:  /usr/lib/unifi/data/system.properties

Jeg har oprettet tre mapper, som vist her.
Husk at kopier filen unifi.keystore.jks samt system.properties over i mappen Convert, da vi skal bruge disse filer senere i guiden.

Backup SSL Cloud Key = Kopi af /etc/ssl/private/ samtfilen/usr/lib/unifi/data/system.properties
Convert = Kopi af unifi.keystore.jks samt system.properties
Upload to Cloud Key = Filer som skal uploades til Cloud Key, efter filer er konverteret.

Da vi nu har fået taget en backup af alle filerne, skal du derefter blot slette alt indhold i /etc/ssl/private/
Kan enten gøres via PuTTY eller via SFTP.

PuTTY

rm -f /etc/ssl/private/*  

Eller via SFTP


Åben filen system.properties og tilføj linjen: app.keystore.pass=aircontrolenterprise
Upload/overskriv derefter filen på selve Cloud Key’en via SFTP, så denne nu indeholder: app.keystore.pass=aircontrolenterprise

CSR – Certificate Signing Request. (opret forbindelse til Cloud Key via SSH, brug PuTTY)

Først genererer vi en ny privat nøgle med følgende kommando via PuTTY.

openssl genrsa -out /etc/ssl/private/cloudkey.key 2048

Opret et nyt CSR med følgende kommando via PuTTY

openssl req -new -batch \
-subj "/C=DK/ST=DK/L=Denmark/O=mitDomæne.dk/OU=UniFi/CN=unifi.mitDomæne.dk/emailAddress=min@email.dk" \
-key /etc/ssl/private/cloudkey.key \
-out /etc/ssl/private/cloudkey.csr

Husk at tilrette “CN=” (common name) så denne peger på dit domæne, f.eks. unifi.mitDomæne.dk skal selvfølgelig være samme navn som dit SSL certifikat er udstedt/købt til.

Kopier nu de to nye filer cloudkey.key samt cloudkey.csr fra Cloud Key’en over i mappen ”Convert”

Udsted SSL certifikatet fra din SSL udbyder.

Alle SSL udbydere, vil fungere på samme måde hvor du bruger CSR til at få udstedt dit certifikat.
Åben filen cloudkey.csr i notepad++ da vi skal bruge denne for at kunne få udstedt vores certifikat på http://cheapsslshop.com

Husk at have en ekstra linje efter —–END CERTIFICATE REQUEST—– som vist forneden

Når certifikatet er udstedt, vil man modtage en e-mail enten med et link eller en zip fil som indeholder certifikatet.

Noter dig begge Intermediate CA Certificate, da disse skal bruges senere i guiden.
Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
Intermediate CA Certificate – SectigoRSADomainValidationSecureServerCA.crt

Opret en ny *.CER fil

Da vi nu har alle filer for at kunne komme videre, skal vi have oprettet en *.cer fil som indeholder selve certifikatet (unifi.mitDomæne.dk) samt de tilhørende:
Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
Intermediate CA Certificate – SectigoRSADomainValidationSecureServerCA.crt
som nævnt tidligere.

Hvis du har mere end et Intermediate CA certifikat, skal du blot tilføje dem alle. Start med dit eget SSL certifikat og følg kæden op til Root CA.

Bemærk: Du behøver ikke at angive Root CA certifikatet.
Kopier derefter certifikatet samt begge Intermediate CA certifikater, så filen cerfile.cer vil ligne nedenstående:

Næste step er at få oprettet en PFX fil (PKCS12), som indeholder den netop oprettede cerfile.cer og nøglefilen cloudkey.key

Kopier derfor både cerfile.cer samt cloudkey.key fra mappen ”Convert” over i C:\Program Files\OpenSSL-Win64\bin

Kør openssl.exe som administrator, kør derefter følgende kommando
Det er nødvendigt at skrive kommandoen ind da man ej kan indsætte tekst.
Husk evt. at ændre kommandoen, hvis du har kaldt din cerfile.cer noget andet.

openssl pkcs12 -export -in CerFile.cer -inkey cloudkey.key -out cloudkey.pfx

Vælg dit eget kodeord for ”Enter Export Password”. Dette kan være anderledes end det kodeord, som bruges i Unifi controlleren, det er helt op til dig.

Kopier filen cloudkey.pfx
Over i mappen ”Convert”

Åben derefter filen unifi.keystore.jks via Keystore Explorer, indtast adgangskode: aircontrolenterprise
For at kunne åbne filen.

Slet herefter unifi, som vist her:
Højreklik og vælg ”Delete”

Vælg blot ”Yes”

Vælg ”Tools” fra menuen, og derefter -> ”Import Key Pair”

Find derefter cloudkey.pfx fra mappen ”Convert”
Vælg formatet PKCS #12

Indtast den tidligere adgangskode du brugte til oprettelse af *.PFX filen
Samt placeringen af *.PFX filen
Klik på ”Import”

Under ”Enter Alias” skriver du ”unifi” som vist, klik til sidst på ok.

Indtast adgangskoden: aircontrolenterprise
Klik på ”Ok”

Nøglen er nu importeret korrekt, og der mangler ganske få ting før vi kan begynde at uploade filer til vores Cloud Key.

Gem filen unifi.keystore.jks i mappen ”Upload to Cloud Key”
Kopier nu filen cloudkey.key fra “Convert” til mappen ”Upload to Cloud Key”
Omdøb dit indkøbte SSL cetefikat til cloudkey.crt og kopier over i mappen ”Upload to Cloud Key”

Til sidst skulle mappen ”Upload to Cloud Key” se sådan ud:

Vælg nu alle tre filer
cloudkey.crt
cloudkey.key
unifi.keystore.jks


Højreklik -> og tilføj dem som et tar arkiv, angiv navnet som cert.tar

Upload nu alle filerne til /etc/ssl/private/

Inden vi genstarter vores Cloud Key, ændre da host navnet i controlleren, så navnet stemmer overens med dit certifikat.

Genstart Cloud Key’en, nu er dit SSL certifikat installeret.