Securing UniFi Cloud Key with SSL certificate from RapidSSL

During the installation of my new Ubiquiti UniFi home-network I noticed that the Cloud Key management console uses a self-signed certificate which annoyed me for days:

There is no support for Let’s Encrypt nor does Ubiquiti have a knowledge base article explaining how to install a proper certificate and their support forums are filled with the same questions. When I asked Ubiquiti support via ticket to assist I was pointed to some arbitrary 3rd party blog-post which provided instructions for installing SSL on the UniFi Cloud Controller hosted on AWS, but did not provide any information on how to install a SSL certificate onto the UniFi Cloud Key.

If you prefer Let’s Encrypt and you have a Cloudflare account you should try: UniFi SSL Cloud Key installation with Let’s Encrypt.

Backup Everything

The Cloud Key allows SFTP access as well as SSH-access. Before you continue with this guide, make a backup of the current certificate configuration. To be really safe, make a copy of /etc/ssl/private to your local computer.

After you have backed up the Cloud Key directory, delete it’s content:

Create the CSR – Certificate Signing Request

First we generate a new private key:

Then create the CSR:

The only relevant section is the “CN=” (common name) part, which should be the website name of your Cloud Key (with SSL you will address a website via a domain name instead of an IP).

Request the SSL Certificate and install the certificate

I use CheapSSLShop as it provides RapidSSL DV SSL certificates for about USD 8 / per year. Any SSL provider will operate in a similar fashion, where you need a CSR to issue the SSL certificate:

 

With RapidSSL you will receive an email which includes the certificate which you copy into /etc/ssl/private/cloudkey.crt:

It is important to have a line-feed after the “—-END CERTIFICATE—” section.

Copy the RapidSSL intermediate SSL certificate to the Cloud Key directory and you will have something like this:

The next step is to generate a PKCS12 file from your certificate, private key and intermediate RapidSSL file:

We then import the PKCS12 file into the Cloud Key keystore:

Now we adjust the permissions and delete files which we do not need:

If everything was done correctly, you can verify your certificate via nginx:

If the above command nginx -t throws an error you have probably applied the wrong intermediate certificate or forgot that line-break in your CRT.

As the last step, you restart NGINX and the Unifi Controller:

Finally, adjust your controller’s hostname:

The above commands will take a few seconds for NGINX and UniFi to restart and you will then have a beautiful green addressbar:

 

Print Friendly, PDF & Email