Some times, you need a Web Server ito use your own certificates issued by your CA in order to consume pages served by this server on a reverse proxy.
Well this is quite simple in standard cases. Not in Ubiquity way...
Reading the manual, you'll see that there is only one command to create a CSR, then you can use it to get a certificate from your CA and voilà... In fact, no...
To start, you have to know that Unifi CSR is totally invalid as its format is completely wrong.
- It is not base64 compliant
- It mixes CSR content and CSR comments
As we must use CSR file issued by UniFi Controller, let's get it:
java -jar /usr/lib/unifi/lib/ace.jar new_cert wifi.local orga '' France FR
Certificate file can be found in /var/lib/unifi/unifi_certificate.csr
Now, we must format it. First step: base64 compliance:
fold -w 64 unifi_certificate.csr > unifi_certificate_fixed.csr
Then, edit unifi_certificate_fixed.csr to have
-----END CERTIFICATE REQUEST-----
On a new line at the end of the file
Then we check CSR validity:
openssl req -text -noout -verify -in unifi_certificate_fixed.csr
Now, we need to generate a certificate. To do this, we will use our own CA.
Warning (another one...) CSR file generated by UniFi controller uses PrintableString for its attributes. In many cases, default CA settings uses UTF8Strings.
To succeed on CSR validation tests, our CA must use the same strings types as in CSR.
To do this, we can edit our openssl config file (/usr/lib/ssl/openssl.cnf in debian) and change string_mask attribute to pkix:
string_mask = pkix
Then create a CA.
After that, we can generate a new certificate with our CA:
openssl ca -in out -days 360 -out unifi_cert.pem
Then, we import this certificate in UniFi controller:
cd /usr/lib/unifi/ java -jar lib/ace.jar import_cert unifi_cert.pem /etc/ssl/certificate-authority/cacert.pem
If no error message is written to standard output, we have to restart unifi service and try to connect to unifi controller on port 8443 using our favourite Web browser:
- UniFi controller needs a certificate generated using its CSR. If you do not follow this, controller may fail to start or raise SSL errors