This article demonstrates how to install and set UniFi Video to use a 3rd party certificate. This will eliminate the warning shown in Chrome when visiting the management page, as well as the certificate acceptance timeout that occurs roughly once a week. Additionally, a certain level of customizable encryption can be provided depending on the certificate obtained from the CA chosen.
This article applies to any Linux based UniFi Video installation, including our hardware NVR and UniFi Application Server. It will also work on Windows, as the commands should be the same provided OpenSSL is installed; however, the paths are different for Windows than what is shown in this article. Note that we are officially working on an SSL certificate import tool for the UI.
Table of Contents
- How to Update the Linux server
- How to Obtain the CSR
- How to Transfer and Import the Certificate
- Related Articles
How to Update the Linux server
Always make a backup of any files being edited (/usr/lib/unifi-video/data/keystore). Ubiquiti support will not provide assistance implementing this article nor any side effects that arise from implementing it. Credit for this guide goes to tinmith on the community who put together an absolutely phenomenal guide!
First and foremost, let’s make sure your Linux server is up-to-date. To do so, make sure the server has internet access and then execute:
apt-get update; apt-get upgrade; apt-get clean
How to Obtain the CSR
The CSR is what your CA (Certificate Authority) requires to authenticate that your server is who it says it is. Follow these steps to obtain it:
1. SSH in to your NVR (article for enabling SSH on our hardware NVR is linked below in Related Articles), this will put you in /root which is what will be used for the duration of this article.
openssl req -newkey rsa:2048 -keyout nvr.example.com.key -out nvr.example.com.csr
3. You should be prompted for a passphrase while filling in the prompts, enter “ubiquiti” (without double quotes) for any passphrase prompts.
4. This will generate a file called nvr.example.com.csr in the current folder. It is recommended that you keep this file and/or back it up to a safe location.
5. Your CA should prompt you for a CSR when you wish to generate a certificate. To view the contents of the .csr file, execute:
6. Optional but recommended, execute
pwd at this time to find out what directory you’re currently in. Always try to stay working within this directory unless specifically instructed otherwise. This will make for a single location in which all the files can be found.
7. Copy the output and paste it to your CA, then submit.
8. Note that the wait time for a CA to read your CSR and provide the certificate varies depending on the CA.
How to Transfer and Import the Certificate
Once you have obtained the certificate, it must be transferred to the server. These are the steps to follow:
1. Download the certificate file(s) from your SSL vendor.
2. Use WinSCP or another SCP option to transfer the certificate to the server you generated the CSR on. Move the certificate files to the same path where you generated your .csr file.
openssl pkcs12 -export -out certificate.pfx -inkey nvr.example.com.key -in [YOUR CERTIFICATE NAME].crt
4. Back up the current keystore by executing the following:
cp /usr/lib/unifi-video/data/keystore /usr/lib/unifi-video/data/keystore-backup
5. Import the key, with the following:
keytool -importkeystore -destkeystore /usr/lib/unifi-video/data/keystore -deststorepass ubiquiti -srckeystore /root/certificate.pfx -srcstoretype PKCS12
6. Confirm the certificate has been entered by executing:
keytool -list -keystore /usr/lib/unifi-video/data/keystore
7. The next step is to remove the "airvision" certificate so it can be replaced with the new certificate. Do so with the following:
keytool -delete -keystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti -alias airvision
When prompted, use "ubiquiti" (without double quotes) as the password.
8. Move the newly imported certificate to the one used by UniFi Video by executing:
keytool -changealias -keystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti -alias 1 -destalias airvision
9. Repeat step 6
keytool -list -keystore /usr/lib/unifi-video/data/keystore and only one certificate with the alias "airvision" should be seen now.
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
airvision, May 3, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): [LONG HEXADECIMAL STRING]
10. Restart the UniFi Video service
11. Ensure that the proper ports are forwarded (find an article for required ports linked in Related Articles below) and DNS, if applicable for the specific certificate.
12. Visit the UniFi Video install via IP or domain name, depending on the certificate type purchased. For example: https://ufv.ubntmattb.com:7443
13. You should now see a valid certificate with no warnings.
If after completing these steps you do not see a valid certificate with no warnings, or you get stuck somewhere, just restore the backup we made in step 4, by executing:
cp /usr/lib/unifi-video/data/keystore-backup /usr/lib/unifi-video/data/keystore
Then restart UniFi Video again and start fresh.