Use your UniFi SSL certificate with UniFi Video_

December 18, 2017 @20:48

I run UniFi to manage my various Ubiquiti access points, now across multiple sites and I try to setup everything with HTTPS only and with certificates signed by my internal CA. I followed for the instructions provided by Ubiquiti for UniFi back when I installed it.

Recently I added UniFi Video into the mix and am running that application on the same VM as UniFi (yeah, the names of the applications are a bit confusing) so I wanted to use the same certificate since the hostname and IP are the same.

The problem with this is that in the Ubiquiti documentation you use the Java keystore to create a CSR and sign it. This means you never get the private key so you can't import the resulting certificate into a different keystore. You can however import a keystore entry into another keystore. So this is how I used that to work around the lack of a private key.

Note

If all you want to do is use a custom certificate with UniFi Video and not copy the certificate from UniFi you can look here, which are the instructions that I based the installation phase of this procedure on.

Background

I have the software installed on a VM running Debian 8, with the following versions of the Ubiquiti software installed from their apt repositories. The process should be similar for other distributions and versions, but the paths are likely to be different so go poking around before trying this.

> dpkg -l unifi\* | awk '/^ii/ { printf "%s - %s\n", $2, $3 }'
unifi - 5.6.22-10205
unifi-video - 3.8.5

Tangent

Since I use Puppet for configuration management, I built the VM using my normal Debian PXEBoot installer which automagically configures the new system with Puppet as a postinst task. The entire manifest set will configure all the base things (auto-updates, Icinga monitoring, NTP, DNS, SSL Certificate trust, NFS, LDAP and more!), but this manifest is all it takes to get a combined UniFi and UniFi Video system (with auto-update). It is really nice when software plays nice together.

# Setup the UBNT NMS for the UniFi wifi gear.
class unifi_nms {
    include 'apt'
    apt::source { 'ubnt':
        location   => 'http://www.ubnt.com/downloads/unifi/debian',
        repos      => 'ubiquiti',
        release    => 'stable',
        key        => '4A228B2D358A5094178285BE06E85760C0A52C50',
        key_server => 'keyserver.ubuntu.com',
        include_src =>  false,
    }

    apt::source { 'unifi-video':
        location => 'http://www.ubnt.com/downloads/unifi-video/apt-3.x',
        repos => 'ubiquiti',
        release => 'jessie',
        key => '795C6027520643F0BA02297F97B46B8582C6571E',
        key_server => 'keyserver.ubuntu.com',
        include_src => false,
    }

    package { 'haveged':
        ensure => latest,
    }

    package { 'unifi':
        ensure => latest,
        require => [
            Apt::Source['ubnt'],
            Package['haveged'],
        ],
    }

    package { 'unifi-video':
        ensure => latest,
        require => [
            Apt::Source['unifi-video'],
        ],
    }

Overview

In short the process is:

  1. Stop unifi-video
  2. Move the existing keystore out of the way
  3. Export the private key and certificate from unifi
  4. Convert the certificate to the appropreate formats and move into place
  5. Start unifi-video

This is the tricky bit, a few things worth documenting for clarity

For UniFi

For UniFi Video

You may want to unmanage your cameras first, the directions are a bit unclear in this exact case and I chose to.

This is what Worked For Me

Stop Services and Backup Keystore

> sudo invoke-rc.d unifi-video stop
> sudo mv /usr/lib/unifi-video/data/{keystore,keystore-orig}

Export Certificate and Key

>sudo keytool -importkeystore -srckeystore /usr/lib/unifi/data/keystore -destkeystore unifi.p12 -deststoretype pkcs12
Importing keystore /usr/lib/unifi/data/keystore to unifi.p12...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias cert1 successfully imported.
Entry for alias unifi successfully imported.
Import command completed:  2 entries successfully imported, 0 entries failed or cancelled

Use the UniFi password for all 3 password prompts or keytool will complain.

Now convert the PKCS12 store into DER encoded files with OpenSSL.

>openssl pkcs12 -in unifi.p12 -nokeys -clcerts -passin pass:aircontrolenterprise | openssl x509 -outform der -out unifi_cert.der
>openssl pkcs12 -in unifi.p12 -nocerts -passin pass:aircontrolenterprise -passout pass:123456 | openssl pkcs8 -topk8 -inform PEM -passin pass:123456 -outform DER -nocrypt -in unifi_key.pem -out unifi_key_decrypted.der

Prepare and Install Certificate and Key

Now these get moved into place as specified by the documentation...

>sudo rm /usr/lib/unifi-video/data/{keystore,ufv-truststore}
>sudo rm /usr/lib/unifi-video/conf/evostream/server.*
>sudo mkdir /usr/lib/unifi-video/data/certificates
>sudo mv unifi_cert.der /usr/lib/unifi-video/data/certificates/ufv-server.cert.der
>sudo mv unifi_key_decrypted.der /usr/lib/unifi-video/data/certificates/ufv-server.key.der
>sudo chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates
>sudoedit /usr/lib/unifi-video/data/system.properties

Restart

>sudo invoke-rc.d unifi-video start

Verify

If all goes well you should see something like this in /var/log/unifi-video/server.log:

1513647038.643 2017-12-18 20:30:38.643/EST: INFO   >>>> unifi-video v3.8.5+a24428.171030.1542 is starting in main
1513647038.713 2017-12-18 20:30:38.713/EST: INFO   Loading camera keystore from /usr/lib/unifi-video/data/cam-keystore... in main
1513647038.792 2017-12-18 20:30:38.792/EST: INFO   Creating a new app key store and import custom certs in main
1513647038.792 2017-12-18 20:30:38.792/EST: INFO   Importing custom app key/cert pair in keystore in main
1513647038.792 2017-12-18 20:30:38.792/EST: INFO   importPrivateKey: loading keystore /usr/lib/unifi-video/data/keystore in main
1513647038.793 2017-12-18 20:30:38.793/EST: INFO   importPrivateKey: loading key /usr/lib/unifi-video/data/certificates/ufv-server.key.der in main
1513647038.835 2017-12-18 20:30:38.835/EST: INFO   importPrivateKey: loaded cert chain /usr/lib/unifi-video/data/certificates/ufv-server.cert.der - 1 certs found in main
1513647038.854 2017-12-18 20:30:38.854/EST: INFO   importPrivateKey: stored the key in main
1513647038.854 2017-12-18 20:30:38.854/EST: INFO   Custom app keystore created and loaded sucessfully in main
1513647038.863 2017-12-18 20:30:38.863/EST: INFO   Loading app keystore from /usr/lib/unifi-video/data/keystore... in main
1513647038.877 2017-12-18 20:30:38.877/EST: INFO   loadTrustStore load existing file: ufv-truststore in main
1513647039.064 2017-12-18 20:30:39.064/EST: INFO   SSL Keystore initialized in main
1513647039.145 2017-12-18 20:30:39.145/EST: INFO   Controller starting in main

Enjoy

Success Screen Shot

Now you can re-manage your cameras. I suspect since cam-keystore is left in place that un-managing and re-managing your cameras may not be needed but I'm going to err on the side of caution here.

All of my previously configured settings for the camera were re-applied (recording settings, motion zones, etc..), so it was only like 3 extra clicks for a little bit of safety.

Subscribe via RSS. Send me a comment.