Ubiquiti has discontinued UniFi Video and I do
not endorse its replacement. More information may
be found in
this post.
I run UniFi to manage my various Ubiquiti access points, now across multiple sites and I try to setup everything with HTTPS only and with certificates signed by my internal CA. I followed for the instructions provided by Ubiquiti for UniFi back when I installed it.
Recently I added UniFi Video into the mix and am running that application on the same VM as UniFi (yeah, the names of the applications are a bit confusing) so I wanted to use the same certificate since the hostname and IP are the same.
The problem with this is that in the Ubiquiti documentation you use the Java keystore to create a CSR and sign it. This means you never get the private key so you can't import the resulting certificate into a different keystore. You can however import a keystore entry into another keystore. So this is how I used that to work around the lack of a private key.
Note
If all you want to do is use a custom certificate with UniFi Video and not copy the certificate from UniFi you can look here, which are the instructions that I based the installation phase of this procedure on.
Background
I have the software installed on a VM running Debian 8, with the following versions of the Ubiquiti software installed from their apt repositories. The process should be similar for other distributions and versions, but the paths are likely to be different so go poking around before trying this.
> dpkg -l unifi\* | awk '/^ii/ { printf "%s - %s\n", $2, $3 }'
unifi - 5.6.22-10205
unifi-video - 3.8.5
Tangent
Since I use Puppet for configuration management, I built the VM using my normal Debian PXEBoot installer which automagically configures the new system with Puppet as a postinst task. The entire manifest set will configure all the base things (auto-updates, Icinga monitoring, NTP, DNS, SSL Certificate trust, NFS, LDAP and more!), but this manifest is all it takes to get a combined UniFi and UniFi Video system (with auto-update). It is really nice when software plays nice together.
# Setup the UBNT NMS for the UniFi wifi gear.
class unifi_nms {
include 'apt'
apt::source { 'ubnt':
location => 'http://www.ubnt.com/downloads/unifi/debian',
repos => 'ubiquiti',
release => 'stable',
key => '4A228B2D358A5094178285BE06E85760C0A52C50',
key_server => 'keyserver.ubuntu.com',
include_src => false,
}
apt::source { 'unifi-video':
location => 'http://www.ubnt.com/downloads/unifi-video/apt-3.x',
repos => 'ubiquiti',
release => 'jessie',
key => '795C6027520643F0BA02297F97B46B8582C6571E',
key_server => 'keyserver.ubuntu.com',
include_src => false,
}
package { 'haveged':
ensure => latest,
}
package { 'unifi':
ensure => latest,
require => [
Apt::Source['ubnt'],
Package['haveged'],
],
}
package { 'unifi-video':
ensure => latest,
require => [
Apt::Source['unifi-video'],
],
}
Overview
In short the process is:
- Stop unifi-video
- Move the existing keystore out of the way
- Export the private key and certificate from unifi
- Convert the certificate to the appropreate formats and move into place
- Start unifi-video
This is the tricky bit, a few things worth documenting for clarity
For UniFi
- The keystore is in /usr/lib/unifi/data
- The key and keystore password is 'aircontrolenterprise'
- The certificate is called 'unifi'
For UniFi Video
- The install base is /usr/lib/unifi-video
- Remove $BASE/data/keystore
- Remove $BASE/data/ufv-truststore
- Remove conf/evostream/server.*
You may want to unmanage your cameras first, the directions are a bit unclear in this exact case and I chose to.
This is what Worked For Me
Stop Services and Backup Keystore
> sudo invoke-rc.d unifi-video stop
> sudo mv /usr/lib/unifi-video/data/{keystore,keystore-orig}
Export Certificate and Key
>sudo keytool -importkeystore -srckeystore /usr/lib/unifi/data/keystore -destkeystore unifi.p12 -deststoretype pkcs12
Importing keystore /usr/lib/unifi/data/keystore to unifi.p12...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias cert1 successfully imported.
Entry for alias unifi successfully imported.
Import command completed: 2 entries successfully imported, 0 entries failed or cancelled
Use the UniFi password for all 3 password prompts or keytool will complain.
Now convert the PKCS12 store into DER encoded files with OpenSSL.
>openssl pkcs12 -in unifi.p12 -nokeys -clcerts -passin pass:aircontrolenterprise | openssl x509 -outform der -out unifi_cert.der
>openssl pkcs12 -in unifi.p12 -nocerts -passin pass:aircontrolenterprise -passout pass:123456 | openssl pkcs8 -topk8 -inform PEM -passin pass:123456 -outform DER -nocrypt -out unifi_key_decrypted.der
Prepare and Install Certificate and Key
Now these get moved into place as specified by the documentation...
>sudo rm /usr/lib/unifi-video/data/{keystore,ufv-truststore}
>sudo rm /usr/lib/unifi-video/conf/evostream/server.*
>sudo mkdir /usr/lib/unifi-video/data/certificates
>sudo mv unifi_cert.der /usr/lib/unifi-video/data/certificates/ufv-server.cert.der
>sudo mv unifi_key_decrypted.der /usr/lib/unifi-video/data/certificates/ufv-server.key.der
>sudo chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates
>sudoedit /usr/lib/unifi-video/data/system.properties
Restart
>sudo invoke-rc.d unifi-video start
Verify
If all goes well you should see something like this in /var/log/unifi-video/server.log:
1513647038.643 2017-12-18 20:30:38.643/EST: INFO >>>> unifi-video v3.8.5+a24428.171030.1542 is starting in main
1513647038.713 2017-12-18 20:30:38.713/EST: INFO Loading camera keystore from /usr/lib/unifi-video/data/cam-keystore... in main
1513647038.792 2017-12-18 20:30:38.792/EST: INFO Creating a new app key store and import custom certs in main
1513647038.792 2017-12-18 20:30:38.792/EST: INFO Importing custom app key/cert pair in keystore in main
1513647038.792 2017-12-18 20:30:38.792/EST: INFO importPrivateKey: loading keystore /usr/lib/unifi-video/data/keystore in main
1513647038.793 2017-12-18 20:30:38.793/EST: INFO importPrivateKey: loading key /usr/lib/unifi-video/data/certificates/ufv-server.key.der in main
1513647038.835 2017-12-18 20:30:38.835/EST: INFO importPrivateKey: loaded cert chain /usr/lib/unifi-video/data/certificates/ufv-server.cert.der - 1 certs found in main
1513647038.854 2017-12-18 20:30:38.854/EST: INFO importPrivateKey: stored the key in main
1513647038.854 2017-12-18 20:30:38.854/EST: INFO Custom app keystore created and loaded sucessfully in main
1513647038.863 2017-12-18 20:30:38.863/EST: INFO Loading app keystore from /usr/lib/unifi-video/data/keystore... in main
1513647038.877 2017-12-18 20:30:38.877/EST: INFO loadTrustStore load existing file: ufv-truststore in main
1513647039.064 2017-12-18 20:30:39.064/EST: INFO SSL Keystore initialized in main
1513647039.145 2017-12-18 20:30:39.145/EST: INFO Controller starting in main
Enjoy
Now you can re-manage your cameras. I suspect since cam-keystore is left in place that un-managing and re-managing your cameras may not be needed but I'm going to err on the side of caution here.
All of my previously configured settings for the camera were re-applied (recording settings, motion zones, etc..), so it was only like 3 extra clicks for a little bit of safety.
Edited
I corrected the OpenSSL key export command and verified it with UniFi Video 3.10.18.