How to download a UniFi SSL certificate for a Cloud Key
Published onby Iron
If you're running a UniFi Cloud Key, you’re probably interested in making sure your network management is as secure as possible. One of the best ways to achieve this is by using an SSL certificate. In this guide, we'll walk through the process of downloading and installing an SSL certificate on your UniFi Cloud Key, step by step.
Let's Dive In!
Table of Contents
- Why do you need an SSL certificate?
- Step 1: Generating a Certificate Signing Request (CSR)
- Step 2: Receiving and downloading your SSL certificate
- Step 3: Installing the SSL certificate on your Cloud Key
- Step 4: Verifying the SSL certificate installation
- Step 5: Automating SSL certificate renewals (optional but recommended)
- Troubleshooting common issues
- Final Thoughts
Why do you need an SSL certificate?
An SSL certificate is crucial because it encrypts the data transmitted between your browser and the Cloud Key. Without SSL, anyone on the same network could potentially intercept your data, which might include sensitive information like passwords.
Essentially, SSL ensures that your management of the network remains private and secure. You wouldn’t want anyone snooping on your network configurations, right?
Step 1: Generating a Certificate Signing Request (CSR)
Before you can download an SSL certificate, you need to generate a Certificate Signing Request (CSR). This is a file you’ll send to a Certificate Authority (CA) like Let’s Encrypt, Comodo, or any other CA you prefer. They will use this request to generate your SSL certificate. Here’s how to do it:
-
SSH into your Cloud Key: First, you'll need to access your Cloud Key via SSH. If you're on Windows, PuTTY is a good option; if you're on macOS or Linux, you can just use the Terminal. Connect to your Cloud Key using its IP address.
ssh root@<cloudkey-ip-address>
-
Navigate to the SSL directory: Once logged in, navigate to the directory where the SSL certificates are managed.
cd /etc/ssl/private
-
Generate the CSR: Run the following command to create your CSR. This command will also generate a private key, which you will need later.
You’ll be prompted to enter some information like your domain name, company name, and location. Make sure to fill these out accurately.openssl req -new -newkey rsa:2048 -nodes -keyout unifi.key -out unifi.csr
-
Submit the CSR to a Certificate Authority: After generating the CSR, you’ll need to submit it to a CA. They will use this request to create your SSL certificate, which you’ll download in the next step.
Step 2: Receiving and downloading your SSL certificate
Once you’ve submitted your CSR to a Certificate Authority, they’ll validate your request. This might take a bit of time, especially if domain ownership needs to be verified. Once the validation is complete, the CA will issue your SSL certificate.
Typically, you’ll receive the following files:
- Your SSL certificate (".crt" file)
- The intermediate certificate (".ca-bundle" file)
- The root certificate (this one is optional)
Download these files and store them in a safe place on your computer. You’ll need them shortly.
Step 3: Installing the SSL certificate on your Cloud Key
With your SSL certificate files in hand, it’s time to install them on your UniFi Cloud Key.
-
Upload the certificate files to the Cloud Key: You need to get these files onto your Cloud Key. The easiest way is to use SCP (secure copy protocol):
scp /path/to/your/certificate.crt root@<cloudkey-ip-address>:/etc/ssl/private/unifi.crt scp /path/to/your/intermediate.ca-bundle root@<cloudkey-ip-address>:/etc/ssl/private/unifi-chain.crt
-
Configure the Cloud Key to use the SSL certificate: After uploading the files, configure your Cloud Key to use the new SSL certificate.
Open the configuration file in a text editor. You can use nano, vi, or any editor you’re comfortable with:
Add or modify the following lines to point to your SSL certificate files:nano /etc/default/unifi
UNIFI_SSL_KEY=/etc/ssl/private/unifi.key UNIFI_SSL_CERT=/etc/ssl/private/unifi.crt UNIFI_SSL_CHAIN=/etc/ssl/private/unifi-chain.crt
-
Restart the UniFi service: To apply your changes, you need to restart the UniFi service:
service unifi restart
Step 4: Verifying the SSL certificate installation
Now that everything is set up, it’s important to verify that your SSL certificate is working as expected.
-
Check the connection: Open your web browser and navigate to your UniFi Cloud Key’s interface. The URL should now start with "https://", and you should see a padlock icon in the address bar. This indicates that the connection is secure.
-
View the certificate details: Click on the padlock icon in your browser’s address bar to view the SSL certificate details. Ensure that the certificate matches the domain you specified and that it is issued by the CA you used.
Step 5: Automating SSL certificate renewals (optional but recommended)
SSL certificates are typically valid for 90 days or one year, depending on your Certificate Authority. To avoid your certificate expiring and leaving your site unprotected, it’s a good idea to automate the renewal process.
If you used Let’s Encrypt for your SSL certificate, you can automate the renewal process with Certbot, a simple tool designed to manage SSL certificates.
-
Install Certbot: If Certbot isn’t already installed on your Cloud Key, you can do so with:
apt-get install certbot
-
Set up automatic renewal: Certbot can automatically renew your certificate before it expires. You can set up a cron job to check and renew your certificate periodically.
Open your crontab file:
Add the following line to check and renew the certificate twice a day:crontab -e
0 */12 * * * /usr/bin/certbot renew --quiet
-
Test the renewal process: To make sure everything is working, you can test the renewal process manually:
certbot renew --dry-run
This command will simulate the renewal process and let you know if it’s working correctly. If there are any issues, Certbot will provide feedback on what went wrong.
Troubleshooting common issues
Even when following instructions to the letter, things can sometimes go wrong. Here are some common issues you might run into and how to resolve them:
-
Certificate not recognized by the browser: If your browser doesn’t recognize the SSL certificate, ensure that you’ve installed both the SSL certificate and the intermediate CA bundle. If the intermediate certificate isn’t installed correctly, the browser might not trust your certificate.
-
SSL errors or warnings: If you receive SSL errors, double-check that the certificate and the private key match. Also, verify that the certificate is installed on the correct domain.
-
“Not Secure” warning still displayed: If your browser still shows the site as "Not Secure," try clearing your browser cache. If that doesn’t help, review your SSL certificate’s installation and ensure there are no typos in your configuration files.
Final Thoughts
Setting up an SSL certificate on your UniFi Cloud Key is a critical step in securing your network management interface. Although it may seem complex, following these steps will ensure your data is encrypted and protected.
You’ve successfully generated a CSR, installed your SSL certificate, and verified its installation. Your network management is now significantly more secure. Don’t forget to consider setting up automatic renewals, especially if you’re using Let’s Encrypt. This ensures that your SSL certificate doesn’t expire unexpectedly, leaving your Cloud Key vulnerable.
If all this seems a bit too much to handle, or if you just prefer to focus on other aspects of managing your network, we at UniHosted can help. We specialize in hosting UniFi Controller with SSL pre-configured, among other features, so you can skip all the hassle.
We host UniFi Controllers in the Cloud
Are you ready to take your UniFi Network to the next level? Deploy a UniFi Cloud Controller in minutes and manage your network from anywhere.
Free tier available
Get the best support
Join 1660+ customers
No credit card required