{"id":1344,"date":"2023-07-04T12:49:53","date_gmt":"2023-07-04T17:49:53","guid":{"rendered":"https:\/\/www.nathanhunstad.com\/blog\/?p=1344"},"modified":"2023-07-04T12:49:54","modified_gmt":"2023-07-04T17:49:54","slug":"how-to-replace-unifi-networks-default-tls-certificate","status":"publish","type":"post","link":"https:\/\/www.nathanhunstad.com\/blog\/2023\/07\/how-to-replace-unifi-networks-default-tls-certificate\/","title":{"rendered":"How to replace Unifi Network’s default TLS certificate"},"content":{"rendered":"\n

Sometimes it seems like this blog is all PKI<\/a>, all the time. It’s really not, although I’ll have to admit a bit of an obsession recently with making sure all of my certificates were in order. I’ve taken care of Kibana<\/a>, my EdgeOS router, and my TPLink switch, but there was one tool I used that was throwing errors and it was annoying me: the Unifi Network web app. So I decided that I had to fix it, and it wasn’t much trouble at all.<\/p>\n\n\n\n

About Unifi Web<\/h2>\n\n\n\n

I have the Unifi web app running on one of my Linux boxes. It’s a Java app, which means that unlike the other certificates I’ve been dealing with, which have been in PEM format, this is a Java keystore. Fortunately, I’ve some experience with Java keystores from my day job, where some of our app runs on Java. The main tool for interfacing with keystores is keytool<\/a>, which allows you to create and modify keystores.<\/p>\n\n\n\n

Updating the Certificate<\/h2>\n\n\n\n

To start, I generated a private key, then a CSR similar to what I’ve done before<\/a>. The next step was to grab the keystore used by Unifi, which is at \/var\/lib\/unifi\/keystore<\/code>. I made a copy of it just in case, then the fun began.<\/p>\n\n\n\n

My next step was to import the trusted root and intermediate certs that make up the chain. To do so, I grabbed the root and intermediate certs (NOT the private keys of course), and ran the following:<\/p>\n\n\n\n

keytool -import -trustcacerts -alias root -file .\/root.crt -keystore .\/keystore
keytool -import -trustcacerts -alias intermediate -file .\/ia.crt -keystore .\/keystore<\/code><\/pre>\n\n\n\n
Keystores have a password, and the default password for Unifi is aircontrolenterprise<\/code>.<\/p>\n\n\n\n
Although importing trusted CA certs from CRT files is easy using keytool, importing a cert\/private key pair is oddly not. So the next step was to convert the cert and key into a PKCS12-formatted file using openssl:<\/p>\n\n\n\n
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name server<\/code><\/pre>\n\n\n\n
That prompts for a password; remember it for the next command. We can now convert that PKCS12-formatted file to a Java keystore file:<\/p>\n\n\n\n
keytool -importkeystore -deststorepass changeme -destkeypass changeme -destkeystore server.keystore -\nsrckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeme -alias server<\/code><\/pre>\n\n\n\n
Putting It Together<\/h2>\n\n\n\n
Almost there! Another word about Java keystore files: each object has an alias, as you may have noticed in the commands above. The alias for the cert\/key pair used by the Unifi Network app is unifi<\/code>. However, since you can’t import a new pair using that alias as it is already in use, we’ll import the server object we just created, delete the existing unifi object, then rename the new one:<\/p>\n\n\n\n
keytool -importkeystore -srckeystore .\/server.keystore -destkeystore keystore\nkeytool -delete -alias unifi -keystore .\/keystore\nkeytool -changealias -alias server -destalias unifi -keystore .\/keystore<\/code><\/pre>\n\n\n\n
I restarted the Unifi service, et voil\u00e0!<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
A valid cert using my own internal PKI. No more nasty browser warnings for me.<\/p>\n","protected":false},"excerpt":{"rendered":"
In this blog post, I explain how to replace the default Unifi Web certificate stored in a Java keystore with your own certificate.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[127],"tags":[259,285,299],"class_list":["post-1344","post","type-post","status-publish","format-standard","hentry","category-security","tag-pki","tag-security","tag-unifi","entry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/comments?post=1344"}],"version-history":[{"count":2,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1344\/revisions"}],"predecessor-version":[{"id":1349,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1344\/revisions\/1349"}],"wp:attachment":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/media?parent=1344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/categories?post=1344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/tags?post=1344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}