Custom SSL Certificate Installation for UniFi Video

This article assumes that you have already have a certificate, a corresponding private key and the certificate authority certificate. This guide will not guide you on making a CA, certificates or singing a certificate. I would recommend using a OpenSSL wrapper tool such as EasyRSA for certificate management.

The following steps assumes the following:

  • You’re logged in via Putty and you are running as root
  • The certificate is located in /etc/ssl/certs
  • The private key is located in /etc/ssl/private
  • The CA certificate is located in /etc/ssl/certs
  • UniFi Video is installed into the default location: /var/lib/unifi-video/

Stop the UniFi Video Service:

service unifi-video stop

Make a backup of the original keystore for fall back purposes:

cp /var/lib/unifi-video/keystore /var/lib/unifi-video/keystore.bak

Using openssl create a pkcs12 public/private key pair with CA certificate:

openssl pkcs12 -export -in /etc/ssl/certs/nvr.pem -inkey /etc/ssl/private/nvr.key \
-out /etc/ssl/private/nvr.p12 -name airvision \
-CAfile /etc/ssl/certs/my-ca-authority.crt -caname root -password pass:ubiquiti

Parameters:

-in Certificate file
-inkey Corresponding private key file
-out The combined certificate file
-name Internal alias for the generated certificate file (do not change for UniFi Video)
-CAfile Certificate Authority certificate
-caname Certificate Authority alias (do not change for UniFi Video)
-password Password for generated certificate file (do not change for UniFi Video)

Using the keytool to import (and create) the new keystore with your certificate:

keytool -importkeystore \
-deststorepass ubiquiti -destkeypass ubiquiti -destkeystore /var/lib/unifi-video/keystore \
-srckeystore /etc/ssl/private/nvr.p12 -srcstoretype PKCS12 -srcstorepass ubiquiti \
-alias airvision

Parameters:

-deststorepass Destination keystore password (do not change for UniFi Video)
-destkeypass Destination private key password (do not change for UniFi Video)
-srckeystore Source keystore (the -out parameter from openssl)
-srcstoretype Source certificate type (the type of certificate output) the openssl command generated
-srcstorepass Source keystore password (as defined in previous command)
-alias Alias for the new certificate (do not change for UniFi Video)

Enable custom certificates in the system.properties:

echo "ufv.custom.certs.enable=true" >> /var/lib/unifi-video/system.properties

Ensure the new keystore has the proper ownership and permissions:

chown unifi-video:unifi-video /var/lib/unifi-video/keystore
chmod 640 /var/lib/unifi-video/keystore

Start the UniFi Video service:

service unifi-video start

After all of this, you should have successfully replaced your UniFi Video SSL certificate. Please let me know if you have any questions!

Leave a Reply