UniFi - Controller Custom SSL using Mac OSX Keychain Assistant and OpenSSL

Overview


In this article users will learn how to avoid issues with Safari web browser and "websocket errors" (example: "This website is not trusted").

 

The problem goes beyond explicitly trusting the default SSL certificate (as this alone does not work). By creating your own Certificate Authority (CA) and replacing the default certificate with this signed certificate you can avoid the web errors. This is the story of that attempt, complete with instructions should anyone want to try it for themselves. (Also, for me, just in case I have to do this again!)

 

A quick note before I start: You'll need OpenSSL and computer running Mac OSX to complete this.

In brief, the steps are:

  1. Create a Certificate Authority
  2. Create a Certificate signed by the CA just created
  3. Export the Certificate & Private Key
  4. Prepare a certificate file
  5. Upload the certificate file to the router and replace the default

Steps


So, in detail the steps are:

1. Create a Certificate Authority

I used Keychain Assistant to do this, I'm sure it's possible to do with OpenSSL, but I wanted my OS to natively trust this CA.

  1. Open Keychain Assistant (Applications > Utilities > Keychain Assistant)
  2. From the "Keychain Assistant" menu, select "Certificate Assistant" and then "Create a Certificate Authority...'
  3. For the "Create Your Certificate Authority" page...
    a) Give you CA a name, (Remember this name)
    b) Identity Type = Self Signed Root CA (it's the default),
    c) User Certificate = SSL Server
    d) Check "Let me override defaults"
    e) Optional: uncheck "Make this CA the default" 
    f) Optional: change the "Email from" field to an email of your choosing
    g) Hit "Continue"
  4. For the first "Create Information" page...
    a) Serial Number = 1
    b) Validity Period (days) = 3650 (You can set this to whatever you want, but you'll need to redo this after the validity period expires
    c) Optional: check "Create a CA web site" and set the location.  (Probably don't do this)
    d) Uncheck "Sign your invitation"
    e) Hit "Continue"
  5. For the second "Create Information" page...
    a) Complete the details as you see fit and continue to the next page
  6. For the "Key Usage Extension for this CA" page...
    a) Leave these details as they are defaulted, hit continue
  7. For the "Key Usage Extension for this CA" page...
    a) Leave these details as they are defaulted, hit continue
  8. For the "Key Usage Extension for Users of this CA" page...
    a) Leave these details as they are defaulted, hit continue
  9. For the "Extended Key Usage Extension for this CA" page...
    a) Leave these details as they are defaulted, hit continue
  10. For the "Extended Key Usage Extension for Users of this CA" page...
    a) Leave these details as they are defaulted, hit continue
  11. For the "Basic Constraints Extension for this CA" page...
    a) Leave these details as they are defaulted, hit continue
  12. For the "Basic Constraints Extension for users of this CA" page...
    a) Leave these details as they are defaulted, hit continue
  13. For the "Subject Alternate Name Extension for This CA" page...
    a) Leave these details as they are defaulted, hit continue
  14. For the "Subject Alternate Name Extension for Users of This CA" page...
    a) Leave these details as they are defaulted, hit continue
  15. For the "Specify a Location For The Certificate" page...
    a) Optional: Change the location for the Keychain (Please remember this Keychain)
    b) Check "On this machine, trust certificates signed by this CA"
    c) Hit Create

2. Create a Certificate signed by the CA just created

Continuing with Keychain Access...

  1. Navigate to the Keychain where you saved the Certificate Authority and find your CA's private key (there will be three with the same name: A certificate, public key and private key)
  2. Right-Click on the "Private Key" and click "Create a certificate with xxxxx..."
  3. On the "Create your Certificate" page
    a) Give it a name, I like to use the hostname of my router (IE ubnt.local) (Remember this name)
    b) Identity Type = "Lead"
    c) Certificate Type = "SSL Server"
    d) Check "Let me override defaults"
    e) Hit continue
  4. On the "Certificate Information" page
    a) Serial number = 1
    b) Validity Period (days)  = 365 (You can set this to whatever you want, but you'll need to re-create this certificate after the validity period expires)
    c) Hit continue
  5. For the second "Create Information" page...
    a) Complete the details as you see fit and continue to the next page
  6. For the "Key Usage Extension" page...
    a) Leave these details as they are defaulted, hit continue
  7. For the "Extended Key Usage Extension" page...
    a) Check "SSL Server Authentication"
    b) Uncheck all other capabilities
  8. For the "Basic Constraints Extension" page...
    a) Leave these details as they are defaulted, hit continue
  9. For the "Subject Alternate Name Extension" page...
    a) clear rfc822Name
    b) clear URI
    c) dNSName = url/hostname of your gui (ie. ubnt.local)
    d) iPAddress = IP Address of your gui
  10. For the "Specify a Location For The Certificate" page...
    a) Optional: Change the location for the Keychain (Please remember this Keychain)
    b) Hit Create

 3. Export the Certificate & Private Key

  1. Navigate to the Keychain where you saved the Certificate and find it's private key and certificate (there will be three with the same name: A certificate, public key and private key)
  2. Right click on the Certificate and choose export
    a) Save the file, using the Certificate File Format (Remember the file name and location of this file!)
  3. Right click on the Private Key and choose export
    a) Save the file, using the Personal Information Exchange (.p12) File Format (Remember the file name and location of this file!)

4. Prepare a certificate file

I've used OpenSSL to do this, though I'm sure there are other ways

You'll need command line experience from here on in ... sorry!

  1. Open a terminal window (Applications > Utilities > Terminal)
  2. Optional: Change directory to the folder that contains your certificate / private key files
    1. cd path_to_files
  3. Convert the certificate file to a pem file (replace the file names as appropriate)
  4. openssl x509 -inform der -in certificate.cer -out certificate.pem
  5. Convert the private key file to a pem file (replace the file names as appropriate)
  6. openssl pkcs12 -in privateKey.p12 -out privateKey.pem -nodes 
  7. Concatenate the two files together (replace the file names as appropriate)
  8. cat privateKey.pem certificate.pem > server.pem 

 

5. Upload the certificate file to the router

Continuing with Terminal

  1. SSH onto the router
    1. ssh router_ip_address -l your_user_name
      (enter your password when requested)
  2. You'll need to prepare a folder on the router that you own or otherwise have permissions to, I've used my home folder (replace filenames / folders as appropriate)
    1. cd /home
      sudo chown your_user_name your_user_name
  3. Open a new Terminal Window (cmd+n)
  4. In the new terminal window, copy the file to the router (replace filenames / folders as appropriate)
  5. scp server.pem your_user_name@router_ip_address:~/server.pem
    (enter your password when requested)
  6. In the original terminal window, change ownership of the file
    sudo chown www-data:www-data ~/server.pem
  7. (Optional) In the original terminal window, backup the default certificate
  8. sudo cp /etc/lighttpd/server.pem ~/server.pem.backup
  9. In the original terminal window, overwrite the default certificate
    1. sudo cp ~/server.pem /etc/lighttpd/server.pem
  10. Set permissions on the new certificate file
    1. sudo chmod 400 /etc/lighttpd/server.pem
  11. Restart lighttpd 
  12. sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

12. Test!

 

Supporting posts:

http://community.ubnt.com/t5/EdgeMAX/Custom-SSL-Certificates/td-p/405628
http://community.ubnt.com/t5/EdgeMAX/Replacing-the-self-signed-SSL-certificates/td-p/381481
http://community.ubnt.com/t5/EdgeMAX/Problem-with-lighttpd-and-server-pem/td-p/771390
https://www.sslshopper.com/article-most-common-openssl-commands.html
http://www.techrepublic.com/blog/apple-in-the-enterprise/create-your-own-ssl-ca-with-the-os-x-keycha...

Related Articles


 

  / Ubiquiti Employee  

Powered by Zendesk