This article assumes that you have already have a certificate, a corresponding private key and the certificate authority certificate. This guide will not guide you on making a CA, certificates or singing a certificate. I would recommend using a OpenSSL wrapper tool such as EasyRSA for certificate management.
The following steps assumes the following:
- You’re logged in via Putty and you are running as root
- The certificate is located in
/etc/ssl/certs - The private key is located in
/etc/ssl/private - The CA certificate is located in
/etc/ssl/certs - UniFi Video is installed into the default location:
/var/lib/unifi-video/
Stop the UniFi Video Service:
service unifi-video stop
Make a backup of the original keystore for fall back purposes:
cp /var/lib/unifi-video/keystore /var/lib/unifi-video/keystore.bak
Using openssl create a pkcs12 public/private key pair with CA certificate:
openssl pkcs12 -export -in /etc/ssl/certs/nvr.pem -inkey /etc/ssl/private/nvr.key \
-out /etc/ssl/private/nvr.p12 -name airvision \
-CAfile /etc/ssl/certs/my-ca-authority.crt -caname root -password pass:ubiquiti
Parameters:
-in Certificate file
-inkey Corresponding private key file
-out The combined certificate file
-name Internal alias for the generated certificate file (do not change for UniFi Video)
-CAfile Certificate Authority certificate
-caname Certificate Authority alias (do not change for UniFi Video)
-password Password for generated certificate file (do not change for UniFi Video)
Using the keytool to import (and create) the new keystore with your certificate:
keytool -importkeystore \
-deststorepass ubiquiti -destkeypass ubiquiti -destkeystore /var/lib/unifi-video/keystore \
-srckeystore /etc/ssl/private/nvr.p12 -srcstoretype PKCS12 -srcstorepass ubiquiti \
-alias airvision
Parameters:
-deststorepass Destination keystore password (do not change for UniFi Video)
-destkeypass Destination private key password (do not change for UniFi Video)
-srckeystore Source keystore (the -out parameter from openssl)
-srcstoretype Source certificate type (the type of certificate output) the openssl command generated
-srcstorepass Source keystore password (as defined in previous command)
-alias Alias for the new certificate (do not change for UniFi Video)
Enable custom certificates in the system.properties:
echo "ufv.custom.certs.enable=true" >> /var/lib/unifi-video/system.properties
Ensure the new keystore has the proper ownership and permissions:
chown unifi-video:unifi-video /var/lib/unifi-video/keystore
chmod 640 /var/lib/unifi-video/keystore
Start the UniFi Video service:
service unifi-video start
After all of this, you should have successfully replaced your UniFi Video SSL certificate. Please let me know if you have any questions!