Add a new certificate in unify controller

I’m making use of Ubiquiti AP’s and therefore use the Unify software to manage them. I have it installed within an “ordinary” vm.
The software normally uses a self-signed certificate. This is not a big issue as it is my local network.

However Chrome starts warning more and more and Safari doesn’t seem to like the self-signed certificate at all after the latest updates. So it became time to install a “proper” certificate.

This little article explains how.

The Unify software is a piece of Java software and stores it’s certificates within a Java keystore. We can manipulate the keystore with ace.jar found in the lib folder of the unify installation.

So just navigate to the toplevel folder of the unify installation : /usr/lib/unify

The first thing we need to do is to generate a Certificate Signing Request (CSR).
To do this call the ace.jar with a few parameters to generate it.

java -jar lib/ace.jar new_cert <hostname> <company name> <city> <state> <country>

This will give you two files both named unifi_certificate.csr, one in pem format and one in der format

Now take this csr and have your favorite CA process it and generate a certificate. In my case my favorite CA is my own, so I just generated (and signed) the certificate using my own CA certificate and keys.

Now it’s time to import the certificate, we will use ace.jar for it.

java -jar lib/ace.jar import_cert unifi_vanzweden.crt Vanzweden-RootCA.crt

The command needs the whole chain so therefore my root-ca certificate is also imported.
You could face an issue, namely ace.jar complaining it could not import the certificate. It doesn’t tell you why, just gives the message “Unable to import the certificate into keystore”. This is due to the line endings in the certificate file.
The solution to this is to use the tr utillity to strip line endings. Below the example command to strip the certificate of its line endings.

tr -d '\n\r' < unifi_vanzweden.crt > 

After the strip you can use the file ending in .tr for the import.

In my case ace.jar wasn’t asking for a password. But if it does, the default password for the keystore is aircontrolenterprise

When the import was succesful you only need to restart the unify software and check if it’s using the new certificate. In my case that seems to be the case.

Screenshot showing certificate

So at least for me the browsers are not complaining anymore.