X marks the spot

random commentary on life, the universe, and anything

Adding a self-signed SSL certificate for UniFi on Mac OS X 10.12

| 0 comments

Got tired of seeing the UniFi controller java service running https but not trusted on localhost. And almost have a solution. Found a solution, but it wasn’t easy.

Sources:
CertSimple: Never see localhost HTTPS warnings again
Ubiquiti Network Community: Installing an SSL Certificate

Follow the CertSimple instructions to use Mac OS X Keychain Access to generate self-signed certificates for localhost. In Step 3, make sure to export both the localhost certificate (as .pem) and the localhost private key (select .p12 from drop down and then convert as per the openssl command in Step 3 OR export as .pem) from within Keychain Access.

Keychain Access

Instead of service unifi stop as in the Ubiquiti Network Community instructions (which are for a linux system), for Mac OS X, simply quit the UniFi app in order to stop the service. Alternatively, from the command line:

$ java -jar /Applications/UniFi.app/Contents/Java/ace.jar stop

Here are the commands that I used based on the Community page. I put the files on the Desktop for easy finding (from the command line natch).

$ sudo openssl pkcs12 -export -passout pass:aircontrolenterprise \
 -in ~/Desktop/localhost-cert.pem -inkey ~/Desktop/localhost-key.pem \
 -out ~/Desktop/localhost -name unifi \
 -CAfile ~/Desktop/localhost_CAcert.pem -caname root

$ sudo keytool -delete -alias unifi \
 -keystore ~/Library/Application\ Support/UniFi/data/keystore \
 -deststorepass aircontrolenterprise

$ sudo keytool -trustcacerts -importkeystore \
 -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise \
 -destkeystore ~/Library/Application\ Support/UniFi/data/keystore \
 -srckeystore ~/Desktop/localhost -srcstoretype PKCS12 \
 -srcstorepass aircontrolenterprise -alias unifi

Unfortunately, I’m running into an error where the certificate is not getting imported into the keystore.

$ sudo java -jar /Applications/UniFi.app/Contents/Java/ace.jar \
 import_cert ~/Desktop/localhost-cert.pem ~/Desktop/localhost-CAcert.pem \
 ~/Desktop/localhost
Unable to import the certificate into keystore 

Hurrah! Found the answer.

Source:
UBNT Support Page: UniFi – SSL certificate error upon opening controller page

Troubleshooting

If the error "Unable to import certificate into keystore" appears when importing the signed certificate & intermediate certs, try the following steps:

1. Edit the certificate file and remove any blank spaces after each line of the cert.

And that did it.

$ sudo java -jar /Applications/UniFi.app/Contents/Java/ace.jar import_cert ~/Desktop/localhost-cert.pem ~/Desktop/localhost-CAcert.pem ~/Desktop/localhost
parse localhost-CAcert.pem (PEM, 1 certs): CN=localhost Certification Authority
parse localhost, 0 certs found
parse localhost-cert.pem (PEM, 1 certs): CN=localhost
Importing signed cert[localhost]
Certificates successfuly imported. Please restart the UniFi Controller.

But still doesn’t work completely because it’s self-signed. I guess if I want that green lock then I’ll have to go get a real cert.

And for reference:

$ java -jar /Applications/UniFi.app/Contents/Java/ace.jar
Usage: java -jar lib/ace.jar  [...]
    start  : start the UniFi controller
    stop   : stop the UniFi controller
    info   : display some information
    installsvc/startsvc/uninstallsvc/stopsvc : install/start/stop as a Windows service
    new_cert      : create new certificate (with csr)
    import_cert  [...] : import the signed certificate and ca cert

Leave a Reply