Ubiquiti Unifi SSL Certificate on Windows Server 2016

Today I'm going to show you how to install an SSL Certificate in your Ubiquiti Unifi software for use in both the Web interface as well as the Guest Portal.

In this example we were using a wildcard certificate that we use for the domain, but this should work with any certificate wildcard or not, as long as it's from a valid certificate provider.

What you will need for this task are following:

  1. Your PFX file from your valid SSL Certificate
  2. KeyStore Explorer software installed on your machine which can be downloaded here...

Lets get started...

To create your PFX file, open IIS and follow the instruction outlined below:

Choose where you want the exported certificate to be saved and input a complex password to apply to the exported file and click OK.

Now that you've created your PFX file you're now ready for the next stage which is to create the Ubiquiti UniFi SSL keystore file.

Open the KeyStore Explorer software and create a new KeyStore and use the following settings:

  1. KeyStore Type = JKS
  2. Click Tools > Import Key Pair
  3. Select PKCS #12
  4. Input the password you created for your PFX file in IIS earlier
  5. Browse to where you saved the PFX file from IIS and click import
  6. Leave the Alias as the default that Keystore nominated
  7. Set the KeyStore password to "aircontrolenterprise" (without the quotes)
  8. Now click Save and save the file as keystore. Please make sure there is no extension like keystore.pfx. The file should just be named keystore

Now you're ready to apply the keystore file to your Ubiquiti UniFi instance. Firstly, find the path of where your UniFi software is installed. In my case it was C:\Users\Administrator\Ubiquiti UniFi\. You need to go to the sub directory of data so the path should should be something like this:

C:\Users\Administrator\Ubiquiti UniFi\data

Replace the above data path to suit your installation path. In the data folder you see a file called keystore. Rename the keystore file to keystore_orig to save it in case you need to revert to it if this fails.

Now copy your newly created keystore file from the KeyStore Explorer software we created earlier and place it into the C:\Users\Administrator\Ubiquiti UniFi\data folder. Once done, you're ready to apply the new certificate to your UniFi instance. To do that, simply restart the UniFi Controller service as follows:

  1. Open a command prompt as Administrator
  2. net stop UniFi
  3. net start UniFi

You're all done. Now open your favourite browser and navigate to your site to confirm that you have a valid certificate as in the following example:

Consider yourself a superstar!

If you've found this useful, you may want to sign up to our newsletter where you'll receive notices on when we post new articles and helpful "how tos". Just fill out your details below and we'll do the rest...

6 Responses

  1. hi, I've tried that with an valid lets encrypt certificate but after restarting the service ... I've still the unsecure message... whats wrong? thanks
    • Matrix7
      Did you follow the process accurately? A common mistake is where there is a file extension on the file name of your Unifi certificate. Make sure you remove any extension that has accidentally been added.
      • strange, I've made it again today, now it works :-) unbelievable... I've made defenitly same steps... but there was a reboot from the server last weekend...cloud it solve the issue?
        • Matrix7
          I don't think that the reboot would have done anything unless you forgot to restart the UniFi service the first time you did it. Glad to hear you got it going... :)
  2. Great, worked just fine. Apparently it's not necessary to change "Controller Hostname/IP" in UniFi Controller, right?
    • Matrix7
      I'm not sure what you mean about the Controller Hostname/IP in UniFi. This is about an SSL Certificate for a domain. All you need to ensure is that the domain name resolves to the server you have UniFi installed on and that you have a valid SSL certificate setup in IIS that you can export.

Leave a comment

Sign up to our newsletter where you’ll receive notices on when we post new articles and helpful “how tos” to make your IT life easier.