Unifi controller will by default use its self-signed certificate to secure the connection, causing the web browser to flash up with insecure connection.
To prevent this, you need to add your own custom certificate to the controller. Continue reading the article to see how to install an SSL certificate on Unifi-Controller.
Generate CSR code or SSL Certificate
The Certificate Signing Request, or simply CSR, is a block of encoded text with your contact details such as domain and company identity. To receive an SSL Certificate, every applicant must generate a CSR code and send it to the Certificate Authority (CA) for validation. In my case I have already purchased a valid certificate from Comodo SSL authority.
SSL Certificate installation on Unifi-Controller
If you have purchased an SSL certificate from a trusted Authority it will provide you .crt files, but to install it to Unifi you need a .PFX file of that certificate.
Follow below steps to export certificate in .PFX format:
- Import your SSL certificate to the local certificate console.
- Browse your certificate and import it to your personal folder.
- Once the certificate is imported successfully, right click on it and export. Then select the option “Yes, export the private key”.
- Untick all the options and only select “Include all certificates in the certification path if possible”, then click NEXT. Refer to the screenshot attached below.
- Now enter the password for your certificate. And save this certificate to the relevant location.
- That’s it. You are done with the certificate export part. Now you need to download and install Keystore Explorer to create your own certificate store.
- Once you install Keystore, open it and click on “Create a new KeyStore”.
- Select the option “JKS” from KeyStore type and click OK.
- Now Go to the Tools tab and select the option “Import Key Pair”.
- Select PKCS#12 and click OK.
- Click On Browse and select the certificate. Insert Decryption key which we used to export it.
- Enter Alias name and create new password. Let’s assume the password as “aircontrolenterprise”.
- Once your Key pair is imported successfully, go to the File tab, and click on Save as. Name the file as “keystore” and save it to a safe location.
Note: File name is very important, make sure you are using it as suggested. As if it is asking for password while saving it use “aircontrolenterprise”.
- Navigate to your Unifi controller installation which will be in the user profile of the user who installed it, unless it was moved afterwards. Now navigate to the “Data” folder and you will find recent “keystore” file.
- It is worth taking a backup of this keystore file. However, the controller will just recreate it if there is an issue.
- Copy the new keystore file you just created in the previous step and overwrite with the old one.
- Now restart the Unifi controller. If you have it installed as a service, open “services.msc” and restart service.
- Now open a browser and navigate to your controller. It will be the host name or IP address depending how you set it up.
- You will now see that it will no longer flash up as insecure and the connection will be secure now.
Troubleshooting Steps
- When you try to export the certificate, the option “export with key with .PFX extension” is disabled, then try with the solution discussed below to export it.
- Double click on the certificate and go to the Details tab, and copy the Serial Number of the certificate.
- Open CMD as Administrator and run the command shown below:
certutil -repairstore my “Certificate Serial Number”
- What is Certutil Command used for?
Certutil.exe is a command-line program, installed as part of Certificate Services. You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.