Step-by-step guide

  1. SSH into your server

  2. Change directory into the UniFi home directory

    cd /opt/UniFi

  3. Make a backup of the keystore

    cp data/keystore data/keystore.bak

  4. Generate the Certificate Signing Request (CSR)

    openssl req -new -newkey rsa:2048 -nodes -out unifi.csr -keyout unifi.key

    You can also use the DigiCert Easy CSR tool.

  5. Get your certificate signed by your Certificate Authority of choice. We recommend DigiCert.

  6. Copy and paste your signed certificate to the server in the current UniFi home directory.

    nano unifi.crt
    1. Press Control-X to exit
    2. Type Y and press Enter to save the file

  7. Create a PKCS#12 archive

    openssl pkcs12 -export -in unifi.crt -inkey unifi.key -out unifi.p12 -name unifi -password pass:aircontrolenterprise

    1. If your CA requires an intermediate certificate, append the following to the previous command before submitting it.

      -CAfile "intermediate_cert_from_CA.crt" -caname root

  8. Import the PKCS#12 archive into the keystore

    keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore data/keystore -srckeystore unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi

  9. You will be asked the following

    Existing entry alias unifi exists, overwrite? [no]:
    1. Type yes and press Enter
  10. You may get a warning about the JKS keystore using a proprietary format, but you can ignore that.

  11. Restart the UniFi service

    systemctl restart unifi
  12. That's it! The new certificate should now be active!