CSR generation on Ubiquiti Unifi

A CSR (Certificate Signing Request) is a block of code submitted when you activate your SSL in your Namecheap account. It contains encrypted information about your company/business and domain name.

CSR Generation on UDM-base

On UDM-base software, you can generate a CSR code by using a few standard commands:

  1. Connect to your server where the controller is installed through the command prompt.
    • On Linux-based or Windows-based servers, you can use Putty or a similar application.
    • On MacOS, run the Terminal application.
    • On a Windows server, connect via remote desktop (if needed) and run cmd or PowerShell.

    IMPORTANT: Ensure you start the application with administrator rights on Windows or have either root or sudo user access on Linux/MacOS.

    To run the application as administrator on Windows, you can right-click the program icon and choose the Run as administrator option or do the following:

    Properties > Compatibility > mark the Run this program as as an administrator > OK.

    To enable sudo access on Linux-based systems, run:
    sudo su -

  2. Open the UniFi shell to access the UDM files:

    unifi-os shell

  3. To go to the UniFi controller main folder, run:

    cd /usr/lib/unifi/

  4. To generate the CSR code, run:

    java -jar lib/ace.jar new_cert example.com “Company name” “Locality” “State” CC

  5. Where:

    • example.com is replaced by your actual domain name or subdomain for UniFi (the common name for the certificate);
    • for “Company name”, use your company/organization name or put NA (Not Applicable);
    • for “Locality”, use your city, town, or other locality name;
    • for “State”, use your state or province name or put the same value as Locality;
    • for “CC” (country code), use the appropriate 2-letter country code from here.

    HELPFUL TIP: If any values contain more than one word, put them in quotes. Otherwise, UniFi will consider a second word to be a value of the next field (it will show no errors).

    IMPORTANT: When creating a wildcard CSR on UniFi (with a domain name like *.example.com), UniFi puts the domain name (subdomain) specified in the host value to the Organization unit field of the CSR. This may cause issues during SSL activation in some systems. However, we did not detect such issues in our system — a CSR with the same Wildcard common name and “Organization unit” field will be accepted anyway.

    A CSR file with the name unifi_certificate.csr.pem will be created in the data subfolder of the UniFi base folder.

  6. Open the CSR file with the command:

    cat /data/unifi_certificate.csr.pem

  7. IMPORTANT: The Private key for the certificate will save to the default UniFi keystore in the file /data/keystore/ (or simply keystore, depending on the system).

    Use the text code from the file during certificate activation.

CSR Generation on UDM-pro

On UDM-pro, there is no explicit option for Certificate Signing Request (CSR code) creation. Therefore the Certificate Signing Request should be generated by using an online tool or the OpenSSL command. We'll provide more tips on this later. But first, you'll need to configure the UDM server hostname to start the SSL installation process on your server.

Once you specify the UDM hostname, the system automatically creates a Private key and a self-signed certificate in a specific folder named /mnt/data/unifi-os/unifi-core/config/, but no CSR code will be generated along with the certificate and Private key files.

SSL installation on UDM-Pro requires placing SSL files in this specific folder, named /mnt/data/unifi-os/unifi-core/config/, and it can only be generated by the system when the user edits the settings to specify the server hostname.

That's why it's obligatory to initiate this process and get the folder with the default files generated. Then, you can replace those files with your SSL later by simply updating the files' names.

Therefore, even though the CSR will need to be generated elsewhere, the UDM hostname should be specified first to get the necessary folder with files created. To initiate this process:

  1. Connect to your UDM-pro interface.
  2. Go to Settings >> Controller Settings >> Advanced Configuration.
  3. Enter the desired subdomain or domain and save the changes

Because the CSR file is still required to activate your trusted SSL, we recommend using one of these third-party options to create it:

  • An OpenSSL command like this:

    openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

  • Our online tool or any other similar tool.

Generate the CSR, copy the complete code with the header and footer lines and use it for the activation process.

IMPORTANT: Make sure not to delete or forget to save the Private key generated along with it!

Updated
Viewed
13039 times

Need help? We're always here for you.