Securing UniFi Cloud Key with SSL certificate from RapidSSL

During the installation of my new Ubiquiti UniFi home-network I noticed that the Cloud Key management console uses a self-signed certificate which annoyed me for days:

There is no support for Let’s Encrypt nor does Ubiquiti have a knowledge base article explaining how to install a proper certificate and their support forums are filled with the same questions. When I asked Ubiquiti support via ticket to assist I was pointed to some arbitrary 3rd party blog-post which provided instructions for installing SSL on the UniFi Cloud Controller hosted on AWS, but did not provide any information on how to install a SSL certificate onto the UniFi Cloud Key.

If you prefer Let’s Encrypt and you have a Cloudflare account you should try: UniFi SSL Cloud Key installation with Let’s Encrypt.

Backup Everything

The Cloud Key allows SFTP access as well as SSH-access. Before you continue with this guide, make a backup of the current certificate configuration. To be really safe, make a copy of /etc/ssl/private to your local computer.

After you have backed up the Cloud Key directory, delete it’s content:

 rm -f /etc/ssl/private/*

Create the CSR – Certificate Signing Request

First we generate a new private key:

openssl genrsa -out /etc/ssl/private/cloudkey.key 2048

Then create the CSR:

openssl req -new -batch \
  -subj "/C=ZA/ST=Gauteng/L=Johannesburg/O=Naschenweng.info/OU=UniFi/CN=unifi.naschenweng.info/[email protected]" \
  -key /etc/ssl/private/cloudkey.key \
  -out /etc/ssl/private/cloudkey.csr

The only relevant section is the “CN=” (common name) part, which should be the website name of your Cloud Key (with SSL you will address a website via a domain name instead of an IP).

Request the SSL Certificate and install the certificate

I use CheapSSLShop as it provides RapidSSL DV SSL certificates for about USD 8 / per year. Any SSL provider will operate in a similar fashion, where you need a CSR to issue the SSL certificate:

 

With RapidSSL you will receive an email which includes the certificate which you copy into /etc/ssl/private/cloudkey.crt:

It is important to have a line-feed after the “—-END CERTIFICATE—” section.

Copy the RapidSSL intermediate SSL certificate to the Cloud Key directory and you will have something like this:

The next step is to generate a PKCS12 file from your certificate, private key and intermediate RapidSSL file:

openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey /etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name unifi -CAfile /etc/ssl/private/rapidssl.crt -caname root -password pass:aircontrolenterprise

We then import the PKCS12 file into the Cloud Key keystore:

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi

Now we adjust the permissions and delete files which we do not need:

rm /etc/ssl/private/cloudkey.csr
rm /etc/ssl/private/rapidssl.crt
rm /etc/ssl/private/cloudkey.p12
tar -cvf cert.tar *
chown root:ssl-cert /etc/ssl/private/*
chmod 640 /etc/ssl/private/*

If everything was done correctly, you can verify your certificate via nginx:

root@GateNanny:/etc/ssl/private# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If the above command nginx -t throws an error you have probably applied the wrong intermediate certificate or forgot that line-break in your CRT.

As the last step, you restart NGINX and the Unifi Controller:

/etc/init.d/nginx restart ; /etc/init.d/unifi restart

Finally, adjust your controller’s hostname:

The above commands will take a few seconds for NGINX and UniFi to restart and you will then have a beautiful green addressbar: