How to install a SSL Certificate on Unifi Cloud Key

This guide is for those who want to install an SSL certificate on their Unifi Cloud Key.
By default, the Cloud Key will use a self signed certificate, giving a rather annoying warning that the connection is insecure in your browser.

SSL Certificate is installed on a Cloud Key, with controller version 5.10.12

In order to import/edit our SSL certificate for Unifi Cloud Key, a few different programs must be used as mentioned below.

1. PuTTY https://www.putty.org/
2. Notepad++ https://notepad-plus-plus.org/download/v7.6.3.html
3. FileZilla, FlashFXP, WinSCP etc.
4. KeyStore Explorer (https://keystore-explorer.org/ )
5. Win64 OpenSSL v1.1.1a (https://slproweb.com/products/Win32OpenSSL.html)
6. 7zip https://www.7-zip.org/download.html

First, we must have purchased an SSL certificate, which can be purchased in several places on the web.
For example, mine is purchased at http://cheapsslshop.com for $ 8.95 approx. 58, – DKK. It is a Comodo Positive SSL which is absolutely in the cheap end, requires only domain validation.
Just remember to select an SSL certificate with 256-bit encryption along with the 2048-bit RSA key, which should be the default.Unifi controller works with a keystore file (unifi.keystore.jks) In this file, the entire certificate chain and the key file must be included.

Keystore file must have password: aircontrolenterprise
Keystore file must have alias: unifi
cert.tar – Contains the three files, shown below. During the boot process, a check will be made as to whether these files are out of sync.
cloudkey.crt – *.myDomain.dk certificate.
cloudkey.key – *. myDomain.dk key for certificate.
unifi.keystore.jks – .crt and .key combined together, for the Java certificate management.

In short, we must have created the following on the Cloud Key: (done via PuTTY)
cloudkey.crt
cloudkey.key
CSR (Certificate Signing Request)

Make a complete backup of your Cloud Key settings so you’re on the safe side if something goes wrong.

Connect to the Cloud Key via SFTP.
Backup the folder:
/etc/ssl/private/

And take a backup of the file system.properties
Location:  /usr/lib/unifi/data/system.properties

I’ve created three folders as shown here.
Remember to copy the file unifi.keystore.jks and system.properties to the Convert folder, as we will use these files later in this guide.

Backup SSL Cloud Key = Copy of /etc/ssl/private/ and the file/usr/lib/unifi/data/system.properties
Convert = Copy of unifi.keystore.jks samt system.properties
Upload to Cloud Key = Files to be uploaded to Cloud Key after files have been converted.

Since we have now taken a backup of all the files, you just have to delete all the contents in /etc/ssl/private/
Can be done either via PuTTY or via SFTP.

PuTTY

rm -f /etc/ssl/private/*

Or via SFTP


Open the file system.properties and add the line: app.keystore.pass = aircontrolenterprise
Upload/overwrite the file on the Cloud Key itself via SFTP so that it now contains:
app.keystore.pass = aircontrolenterprise


CSR – Certificate Signing Request. (Connect to Cloud Key via SSH, use PuTTY)

First we generate a new private key with the following command via PuTTY

openssl genrsa -out /etc/ssl/private/cloudkey.key 2048

Create a new CSR with the following command via PuTTY

openssl req -new -batch \
-subj "/C=DK/ST=DK/L=Denmark/O=myDomain.dk/OU=UniFi/CN=unifi.myDomain.dk/emailAddress=my@e-mail.dk" \
-key /etc/ssl/private/cloudkey.key \
-out /etc/ssl/private/cloudkey.csr

Remember to customize “CN =” (common name) so that it points to your domain, for example. unifi.myDomain.dk must of course be the same name as your SSL certificate issued/purchased for.

Now copy the two new cloudkey.key files and cloudkey.csr from the Cloud Key into the “Convert” folder

Issue the SSL certificate from your SSL provider.

All SSL providers will work the same way you use CSR to issue your certificate.
Open the cloudkey.csr file in notepad ++ as we need this to get our certificate issued at http://cheapsslshop.com

Remember to have an extra line after —– END CERTIFICATE REQUEST —– as shown below

Once the certificate is issued, you will receive an email either with a link or a zip file containing the certificate.

Take note of both Intermediate CA Certificate, as these will be used later in the guide.
Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
Intermediate CA Certificate – SectigoRSADomainValidationSecureServerCA.crt

Create a new * .CER file

Since we now have all the files to be able to move on, we must have created a * .cer file that contains the certificate itself (unifi.myDomain.dk) and the corresponding::
Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
Intermediate CA Certificate – SectigoRSADomainValidationSecureServerCA.crt
as mentioned earlier.

If you have more than one Intermediate CA certificate, just add them all. Start with your own SSL certificate and follow the chain up to Root CA.

Note: You do not need to enter the Root CA certificate.
Then copy the certificate and both Intermediate CA certificates so that the file cerfile.cer will look like the following:


The next step is to create a PFX file (PKCS12) that contains the newly created cerfile.cer and the keyfile cloudkey.key

Copy both cerfile.cer and cloudkey.key from the “Convert” folder to C:\Program Files\OpenSSL-Win64\bin

Run openssl.exe as an administrator, then run the following command
It is necessary to enter the command as you cannot insert text.
Remember to change the command if you have called your cerfile.cer something else.

openssl pkcs12 -export -in CerFile.cer -inkey cloudkey.key -out cloudkey.pfx

Choose your own password for ”Enter Export Password”. This can be different from the password used in the Unifi controller, it is entirely up to you.

Copy the file cloudkey.pfx
Over in the folder “Convert”

Then open the unifi.keystore.jks file via Keystore Explorer, enter the password: aircontrolenterprise
To open the file.

Then delete unifi as shown here:
Right-click and select “Delete”

Select ”Yes”

Select “Tools” from the menu, and then -> “Import Key Pair”

Then find cloudkey.pfx from the “Convert” folder
Select the format PKCS # 12

Enter the previous password you used to create the * .PFX file
As well as the location of the * .PFX file
Click on “Import”

Under “Enter Alias” type “unifi” as shown, finally click ok.

Enter the password: aircontrolenterprise
Click on “Ok”

The key is now correctly imported and there are very few things missing before we can start uploading files to our Cloud Key.

Save the unifi.keystore.jks file in folder ”Upload to Cloud Key”
Now copy cloudkey.key file from “Convert” to the ”Upload to Cloud Key” folder
Rename your purchased SSL certificate to cloudkey.crt and copy it into the “Upload to Cloud Key” folder

Save the unifi.keystore.jks file in folder ”Upload to Cloud Key”

Finally, the “Upload to Cloud Key” folder should look like this:

Select all three files
cloudkey.crt
cloudkey.key
unifi.keystore.jks


Right-click -> and add them as a file with extension tar, specify the name as cert.tar

Now upload all files to /etc/ssl/private/

Before we restart our Cloud Key, change the host name in the controller so the name matches your certificate.

Restart the Cloud Key, now your SSL certificate is installed.