Custom certificate for Unifi Controller

Some times, you need a Web Server ito use your own certificates issued by your CA in order to consume pages served by this server on a reverse proxy.

Well this is quite simple in standard cases. Not in Ubiquity way...

Reading the manual, you'll see that there is only one command to create a CSR, then you can use it to get a certificate from your CA and voilà... In fact, no...

To start, you have to know that Unifi CSR is totally invalid as its format is completely wrong.

  • It is not base64 compliant
  • It mixes CSR content and CSR comments

As we must use CSR file issued by UniFi Controller, let's get it:

  java -jar /usr/lib/unifi/lib/ace.jar new_cert wifi.local orga '' France FR

Certificate file can be found in /var/lib/unifi/unifi_certificate.csr

Now, we must format it. First step: base64 compliance:

  fold -w 64 unifi_certificate.csr > unifi_certificate_fixed.csr

Then, edit unifi_certificate_fixed.csr to have

  -----END CERTIFICATE REQUEST-----

On a new line at the end of the file

Then we check CSR validity:

    openssl req -text -noout -verify -in unifi_certificate_fixed.csr

Now, we need to generate a certificate. To do this, we will use our own CA.

Warning (another one...) CSR file generated by UniFi controller uses PrintableString for its attributes. In many cases, default CA settings uses UTF8Strings.

To succeed on CSR validation tests, our CA must use the same strings types as in CSR.

To do this, we can edit our openssl config file (/usr/lib/ssl/openssl.cnf in debian) and change string_mask attribute to pkix:

  string_mask = pkix

Then create a CA.

  /usr/lib/ssl/misc/CA.pl -newca

After that, we can generate a new certificate with our CA:

  openssl ca -in out -days 360 -out unifi_cert.pem

Then, we import this certificate in UniFi controller:

  cd /usr/lib/unifi/
  java -jar lib/ace.jar import_cert unifi_cert.pem  /etc/ssl/certificate-authority/cacert.pem

If no error message is written to standard output, we have to restart unifi service and try to connect to unifi controller on port 8443 using our favourite Web browser:

  /etc/init.d/unifi restart

Troubleshoot:

  • UniFi controller needs a certificate generated using its CSR. If you do not follow this, controller may fail to start or raise SSL errors