Com Apple Ubiquity Ssl Cert

Installing an SSL document on Ubiquiti Unifi

• Installing SSL on UDM-base of operations
• Standard method with ace.jar
• Installation with keytool
• Importing PKCS7
• Importing PEM
• PFX file import via command line
• Installing SSL on UDM-pro
• SSL installation for UniFI services not based on UDM
• Installation with keytool (for Windows)
• PFX file import using Keystore Explorer
• PFX file import (Windows) via command line
• Unify SSL security features

Unifi Dream Auto (UDM) is the latest version of network management hardware created by UniFi. It unremarkably comes with UniFi OS (a version of a Debian-based Linux Operating System). It has two variations: UDM-base, which is technically a modification of older UniFi controllers, and UDM-Pro, which has its own graphical interface for added ease of use.

Installing SSL on UDM-base

Official documentation for the UniFi controller includes one method of installing an SSL. This method is relatively unproblematic; however, there is a mutual issue involving an error bulletin that doesn't indicate the actual root.

This guide outlines diverse culling installation methods, shows how to fix common errors, and provides useful security enhancement tips.

Important note: Sometimes, a default certificate on the server might be used instead of the i yous install, which may cause security warnings in browsers. To avoid this outcome, regardless of what installation method you apply, please consummate the below steps first:

• Connect to UniFi.
  
• Stop UniFi Controller past running:

  unifi-os stop

• Remove the symbolic link to the default certificate file and re-create the bodily certificate file via:
  
  rm /usr/lib/unifi/information/keystore && cp /etc/ssl/individual/unifi.keystore.jks /usr/lib/unifi/data/keystore
• Comment out or remove the following line in /etc/default/unifi
  UNIFI_SSL_KEYSTORE=/etc/ssl/private/unifi.keystore.jks
• Restart UniFI Controller using this command:

  unifi-bone restart

• Go along with SSL setup using ane of the beneath methods

Please note, that the role /etc/ssl/private/unifi.keystore.jks should be replaced with the path to your new Keystore where the new document files are located.

Standard method with ace.jar

This method is more often than not recommended, although it has some peculiarities, so information technology isn't ever the most reliable.

The certificate should be installed in the folder where the CSR code was generated. Follow the steps below to complete the SSL installation using ace.jar:

1. Connect to your server through the command prompt.
   • On Linux-based or Windows-based servers, you tin use Putty or a like application.
   • On MacOS, run the Terminal application.
   • On the Windows server, run cmd or PowerShell (continued via remote desktop if needed).

   Important: Brand certain to start the application with administrator rights on Windows. To do this, right-click on the program icon and choose the Run as administrator pick or do it this mode:
   Properties >> Compatibility >> mark the Run this program every bit an ambassador >> OK.

   On Linux/MacOS, you should have root or sudo user access. For this, run the following command:

   sudo su -

2. To start the installation, open the UniFi shell to access the UDM files:

   unifi-bone shell

   
   

3. Go to the UDM-base main folder past running:

   cd

   /usr/lib/unifi/
   
   
4. Upload the following files from your received SSL annal in the UniFi base of operations binder:
   • Security certificate file in PEM format (the .crt file received from the Document Authority);
   • Root certificate;
   • Intermediate certificates.

   Use the following command:

   java -jar lib/ace.jar import_cert *your certificate*.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt addtrustexternalcaroot.crt

   Where *your certificate* is replaced with your actual file proper name.

   If you received the intermediate and root certificates in i arranged file (.ca-parcel), you tin download them separately here.

   Note: that the example command above contains intermediate certificates for the standard Domain Validation type SSL.
   

5. Afterwards you run the control, UniFi will ask you to enter the keystore password. Employ "aircontrolenterprise" (unless you changed information technology manually in your UniFi settings) and confirm the document's import.

   Go along in heed that some server versions may require the whole CA Package to be uploaded as a single file. In such a example, y'all can download the respective bundle following the instructions in this commodity and use the following command:

   java -jar lib/ace.jar import_cert *your certificate*.crt package.crt
   

6. Restart UDM-base of operations to apply the changes:

   unifi-os restart

   Y'all can check the installation here.

   Important : In that location is a known problems on some mutual modern UniFi versions: after importing the files to the server, the mistake, "Unable to import the certificate into keystore" appears.

   This is because on some UniFi versions, ace.jar is unable to parse the new string (\due north) symbol.

   On Linux and MacOS, this issue tin exist resolved by removing these symbols with a elementary command:

   tr -d '\n\r' < *file proper name* > *temporary file name* && mv *temporary file proper noun* *file name*

   Solution : Supersede the *file name* with the actual proper name of the required file. Apply the command to your certificate, to each of the intermediate certificates, and the root certificate.

   The *temporary file name* value is required as a temporary file considering the command does not allow it to salve the modified content in the same file directly. Therefore it'south necessary to salvage it in a temporary identify and then replace the former one with it.

   Alternatively, you can employ this control:

   tr -d '\northward\r' < *file proper name* | echo $(cat -) > *file name*

   On Windows, the certificate files can be fixed past using Notepad++:

   • Open up the file with a text editor.
   • Click ctrl+F and go to the tab Replace .
   • Marking the option Extended to supervene upon the service symbols.

     

   • Type \northward in the form and click Replace All.

     

   • Echo it with the parameter \r .
   • Save the file.

Installation with keytool

Importing PKCS7

Inside the keystore, import the file in the PKCS#vii format (with a .p7b or .cer extension).

Follow Steps 1-3 in the Standard ace.jar method.

Save the certificate's Private central to the /data/keystore file in the default UniFi keystore afterwards you generate the CSR code.

4. Upload the security certificate file the SSL annal yous received from the CA in the PKCS#seven format (.cer or .p7b) to the UniFi base binder.
5. To import the uploaded file into the keystore, run:

   keytool -import -trustcacerts -alias unifi -file *your certificate*.p7b -keystore /data/keystore

   Enter the keystore password "aircontrolenterprise" (unless it was inverse in your UniFi settings) and press Enter to complete the import.

6. Restart the UDM-base to use the changes:

   unifi-os restart

And at present yous're done! Yous tin can cheque the installation hither.

Warning: You may receive the error "Input not an 10.509 document" while importing the SSL in the PKCS#7 format. It may exist related to the extra empty strings in the file or other formatting issues. If editing the file in a text editor does not aid, importing the SSL as PEM files is best.

On Windows, you can also utilise this solution:

• Alter the certificate file extension to .cer.
• Right-click on the file and choose Install certificate. Keep clicking through the options until you locate the Cease push.
  TIP: Within the Internet Explorer browser, click on Tools >> Internet Options to install it.
• Open up the Content tab and click on Certificates.
• Choose your document out of the Other tab and click Export.
• Click Next.
• Select "Cryptographic Message Syntax Standard - PKCS#7 Certificates (.P7B)" and bank check the "Include all certificates in the certification path if possible" box.
• Click Next >> Browse . Enter the file name and path for the new combined file to exist saved.
  TIP: Yous can salvage the file with a .cer extension.
• Click Next and then Terminate.
• Use this newly-created file during installation in the keystore.

Importing PEM

Alternatively, you can import the SSL file in PEM format (.crt).

The example below uses files for a Domain Validation certificate. The procedure is similar for other SSL types. Find the respective files here.

4. Import the root certificate:

   keytool -import -trustcacerts -alias root -file addtrustexternalcaroot.crt -keystore /data/keystore

5. Import intermediate certificates one past one using separate aliases:

   keytool -import -trustcacerts -alias intermediate2 -file USERTrustRSAAddTrustCA.crt -keystore /information/keystore

   keytool -import -trustcacerts -alias intermediate1 -file SectigoRSADomainValidationSecureServerCA.crt -keystore /data/keystore

6. Import the actual certificate with the alias unifi:

   keytool -import -trustcacerts -allonym unifi -file *your document*.crt -keystore /information/keystore

   PLEASE Annotation

   : You must enter the keystore countersign for each import and press Enter to complete the procedure.

   TIP

   : To avoid this, add together the argument -storepass *password* at the stop of the command. Supervene upon the *password* with your bodily password for the UniFi keystore.
7. Restart UDM-base to use the changes:

   unifi-os restart

The files are the same as for the Standard installation method with ace.jar.

PFX file import via command line

You lot tin can apply this option if the CSR was generated elsewhere or the OpenSSL method was used instead of the default UniFi tool during the procedure.

In this instance, a private central (.cardinal) is created separately. You need to import the central file into the keystore along with the certificate (.crt) and chain (.ca-parcel ) files.

Steps 1-iii are the aforementioned as in the Standard method with ace.jar.

If you prefer carrying out the process through control line, follow these steps :

4. Upload the PEM security document file (.crt), and chain file (.ca-package) y'all received in an archive from the Document Authority to the UniFi base folder. Move or upload the previously generated private central file to the same binder for your convenience.

   Technically, you can put them in dissimilar folders; if you lot do, add the full paths to the files in the commands in the post-obit steps where these files are used.

5. Generate the PKCS#12 (PFX) file using the OpenSSL command:

   openssl pkcs12 -consign -out *your certificate*.pfx -inkey *your document*.key -in *your certificate*.crt -certfile *your certificate*.ca-package -proper noun "unifi"

   
   
6. Import the created PFX file into the keystore:

   keytool -importkeystore -srckeystore *your certificate*.pfx -srcstoretype PKCS12 -destkeystore /data/keystore -deststoretype jks -deststorepass *password*

   Replace the *password* value with your bodily password for the UniFi keystore.
   
   

7. Restart UDM-base to apply the changes:

   unifi-os restart

   
   

If you lot adopt generating the PFX elsewhere (e.g. our converter), exercise the following :

4. Generate the PKCS#12 (PFX) file using any convenient tool.
5. Upload the PFX file to the server where the UniFi controller is installed (in the UniFi base of operations folder).
6. Import the created PFX file into the keystore:

   keytool -importkeystore -srckeystore *your certificate*.pfx -srcstoretype pkcs12 -srcalias 1 -destkeystore /information/keystore -deststoretype jks -destalias unifi -deststorepass *password*

   PLEASE NOTE: For the PFX file without an alias assigned, ane is used as the default alias. Also, ensure you include -srcalias and -destalias in the command to avoid the mistake, "Allonym unifi does non exist". The *password* value should be replaced with your actual password for the UniFi keystore.

7. Restart UDM-base to apply the changes:

   unifi-os restart

There is a small-scale chance that the default allonym is different. If you encounter an error, you can check the alias with any of the following commands:

openssl pkcs12 -in *your certificate*.pfx -info

keytool -list -storetype pkcs12 -keystore *your certificate*.pfx -v

Installing SSL on UDM-pro

For UDM-pro you just need to replace the default private key and self-signed certificate and restart UDM.

1. Make sure to enable the Secure Shell (SSH) for UDM-pro:

   Settings >> Network Settings >> Device Hallmark >> Plough it on and ready up the username and password (or generate an admission key, which is an alternative option that you will be offered at the final step).

2. Connect via SSH and go to the configuration folder for UDM-pro:

   cd /mnt/data/unifi-os/unifi-core/config/

   
   
3. Prepare the installation files:

   At that place are two files inside the folder: unifi-core.crt and unifi-core.key . These are a self-signed certificate and a Private key, respectively.

   To install the valid SSL they should be replaced with an actual certificate received from the CA and a corresponding Individual key

   • unifi-core.crt should contain your certificate (the .crt file from CA) combined with the intermediate and root certificates (the .ca-bundle file from CA) in a single file;
   • unifi-core.cardinal should contain the Private central file .

   Y'all can combine the .crt and .ca-bundle files y'all received from the CA in multiple ways:

   • Upload both files to /mnt/data/unifi-bone/unifi-core/config/ and run this command:

     cat example.crt >> unifi-cadre.crt ; repeat >> unifi-core.crt ; cat example.ca-bundle >> unifi-core.crt

   • Or open both files with any plain text editor (Notepad, Notepad++, TextEdit, Text), and create a combined unifi-core.crt (certificate first, CA-bundle beneath it) file on your PC and upload it to the UDM.
   • Or re-create and paste both files'; content to unifi-core.crt (in the same order every bit above: certificate first, CA-bundle beneath it).

   To open up information technology in the command line, use whatsoever provided Linux editor like nano or vi (for example, run nano unifi-cadre.crt ).

4. Once both files are replaced, restart your UDM-pro:

   unifi-os restart

   
   

SSL installation for UniFI services non based on UDM

All installation methods described for UDM-base work similarly on older UniFi controller versions. However, a few methods cannot be used for UDM even though they were valid in the past. They are described below.

Installation with keytool (for Windows)

The process is generally the same every bit on Linux: yous upload the files to the server and run the keytool commands to install them in the keystore. However, there is one difference. Different Linux-based servers, Windows requires a full path to exist specified when you are running an awarding. Because keytool.exe, certificate files, and the keystore may be located in dissimilar folders, make certain to use the full path unless the file is in the folder where y'all run the command.

To import the files in the PKCS#7 format by running this command:

"*Java base folder*\bin\keytool.exe" -import -trustcacerts -allonym unifi -file *your certificate*.p7b -keystore "C:\Users\*account username*\Ubiquiti UniFi\information\keystore

*Java base folder* is specified during the Java installation on the server. By default, it is something like "C:\Program Files\Java\*Coffee version*\".

Alternatively, run the control below to switch to the Coffee base binder:

cd *Coffee base binder*

and then import the file by running:

keytool -import -trustcacerts -alias unifi -file "C:\Users\*account username*\Ubiquiti UniFi\*your document*.p7b" -keystore "C:\Users\*account username*\Ubiquiti UniFi\data\keystore"

Shut the UniFi application and offset information technology once more using the application icon.

If UniFi is configured as a Windows service, run these commands:

net stop "UniFi Controller"
net start "UniFi Controller"

The certificate should now exist installed.

Importing PEM certificates tin be performed equally described in the Importing PEM department, specifying the full path to the files in all commands.

PFX file import using Keystore Explorer

The easiest way to import the PFX on UniFi on Windows is with the assistance of "Keystore Explorer". (It can also exist used for Linux/Mac Bone, though it is best suited for Windows).

1. Open the current keystore file in Keystore Explorer using the default password "aircontrolenterprise" or the one used past the controller.

   TIP: You lot tin open the system.backdrop file and add together your custom countersign to it:

     app.keystore.pass=*password*
   
   The file is located in the in the data subfolder of UniFi base folder.
2. This option requires generating the PFX (PKCS#12) format file using any method described in the certificate installation in PFX format section or any online tool (eastward.1000. our converter).

   Choose your own password for this. It can be dissimilar from the password used in the UniFi controller.

3. Once the PFX file is created, switch back to Keystore Explorer and delete the unifi entry.

   

4. Click-through: Tools >> Import Key Pair >> PKCS12.

   There, locate your PFX file and utilise the countersign you set during its creation.

   

5. The Key Pair Entry Alias should be set as unifi.

   

6. Provide the countersign. It should be the keystore password ("aircontrolenterprise" unless it was changed in your UniFi settings).
7. Salve the keystore file using File >> Save (or just click on the related icon).

8. Restart the controller to use the changes.

   On Linux:
   service unifi restart
   

   On Windows, shut the UniFi application and offset it again using the application icon or, if UniFi is configured as a Windows service, use the commands:

   net end "UniFi Controller"
   net start "UniFi Controller"

   WARNING: Sometimes, the keystore may get corrupted because of multiple imports. If the process does not work properly, delete the initial keystore file and restart UniFi to create a new one, and only proceed with the PFX import when this is done.

PFX file import (Windows) via command line

This process is similar to installation on Linux. The PFX file can exist generated past doing the following:

• Save both the certificate and the private key files in one folder using the same file names and corresponding extensions: example.p7b, example.key. Run this command in cmd or PowerShell:

  certutil -mergepfx *your document*.p7b *your certificate*.pfx

  Alternatively, you tin put the certificate, private cardinal and CA-bundle in one folder and generate it with OpenSSL:
  

  
  *OpenSSL path* pkcs12 -export -out *your document*.pfx -inkey *your certificate*.key -in *your certificate*.crt -certfile *your certificate*.ca-bundle -proper noun "unifi"

  Default OpenSSL path on Windows (if you accept it installed) is "C:\*OpenSSL version*\bin\OpenSSL.exe".

• Import the created PFX file into the keystore:

  "*Java base folder*\bin\keytool.exe" -importkeystore -srckeystore *your document*.pfx -srcstoretype pkcs12 -srcalias one -destkeystore "C:\Users\*account username*\Ubiquiti UniFi\information\keystore" -deststoretype jks -destalias unifi -deststorepass *password*

  *Java base folder* is specified during the Java installation on server. Past default, it is something like "C:\Program Files\Coffee\*Java version*\".
  
  

• Shut the UniFi application and showtime it over again using the application icon or, if UniFi is configured as a Windows service, with the commands:

  net cease "UniFi Controller"

  
  cyberspace start "UniFi Controller"

The SSL should at present be installed.

Unify SSL security features

The following list includes features not directly related to SSL setup simply related to site security and different ways to configure it.

• The ECC certificates won't work fifty-fifty though these files can be successfully imported to the server.
• Server Proper noun Indication (SNI) is non supported.
• HTTPS redirect is enabled on newer versions of UniFi past default. Access the UniFi admin console using the http:// link (by default, *hostname*:8080 in system.properties). Then, if the SSL is already installed on UniFi, you'll be forwarded to the https:// link (by default, https://*hostname*:8443).
  This option works on all UniFi versions starting from 4.x.
• HSTS can be enabled on UniFi in the organization.backdrop file past modifying these parameters:

  unifi.https.hsts=false - set to true to enable HSTS
  unifi.https.hsts.max_age=*value* - you lot can specify the duration for how long HSTS is cached (in seconds)
  unifi.https.hsts.preload=imitation - set to truthful only if yous practice not plan to remove the HSTS, as information technology will add your UniFi hostname to the preload list, deletion from which should be requested specifically
  unifi.https.hsts.subdomain=false - fix to true if you lot would like to use an HSTS policy for the subdomains of your domain name, also as for the main domain proper name

  Uncomment the corresponding (to a higher place-mentioned) strings, relieve the file, and restart UniFi to complete the process.

  
  

• Permitted nil suites and SSL/TLS versions can be enabled on UniFi in the system.backdrop file using the following parameters:

  unifi.https.ciphers=cipher1, cipher2, etc. - replace the values with the actual naught names y'all want to enable
  unifi.https.sslEnabledProtocols=protocol1, protocol2, etc. - supervene upon the values with the actual protocol names y'all want to enable

  Uncomment the respective (above-mentioned) strings, save the file, and restart UniFi to consummate the procedure.

  Check the optimal configurations for UniFi here.

Associated articles

Com Apple Ubiquity Ssl Cert,

Source: https://www.namecheap.com/support/knowledgebase/article.aspx/10134/33/installing-an-ssl-certificate-on-ubiquiti-unifi/

Posted by: porternoust1988.blogspot.com

Share this post