<div dir="ltr">Subject: I have achieved PARTIAL SUCCESS in installing Godaddy SSL Certificate in UniFi Cloud Key Gen 2 Plus<br><br>Good day from Singapore,<br><br>I am posting here because UniFi Cloud Key Gen 2 Plus is powered by Debian GNU/Linux 9.<br><br>I have found many reference guides on installing SSL certificate in UniFi Cloud Key. Please refer to the following list.<br><br>[1] How to install a SSL Certificate on Unifi Cloud Key<br><br>Link: <a href="https://community.ui.com/questions/How-to-install-a-SSL-Certificate-on-Unifi-Cloud-Key/944dbbd6-cbf6-4112-bff5-6b992fcbf2c4#:~:text=Rename%20your%20purchased%20SSL%20certificate,Upload%20to%20Cloud%20Key%E2%80%9D%20folder.&text=Before%20we%20restart%20our%20Cloud,your%20SSL%20certificate%20is%20installed">https://community.ui.com/questions/How-to-install-a-SSL-Certificate-on-Unifi-Cloud-Key/944dbbd6-cbf6-4112-bff5-6b992fcbf2c4#:~:text=Rename%20your%20purchased%20SSL%20certificate,Upload%20to%20Cloud%20Key%E2%80%9D%20folder.&text=Before%20we%20restart%20our%20Cloud,your%20SSL%20certificate%20is%20installed</a><br><br>[2] How to install an SSL Certificate on Unifi Cloud Key?<br><br>Link: <a href="https://www.ssldragon.com/blog/install-ssl-certificate-on-unifi-cloud-key/">https://www.ssldragon.com/blog/install-ssl-certificate-on-unifi-cloud-key/</a><br><br>[3] Protect the UniFi Cloud Key with a custom SSL certificate<br><br>Link: <a href="https://clemens.ms/protect-the-unifi-cloud-key-with-a-custom-ssl-certificate/">https://clemens.ms/protect-the-unifi-cloud-key-with-a-custom-ssl-certificate/</a><br><br>[4] Deploy dehydrated generated certificate to Unifi controller<br><br>Link: <a href="https://gist.github.com/jrotello/18ab3e1982d46b04a269dfbc63aa097f">https://gist.github.com/jrotello/18ab3e1982d46b04a269dfbc63aa097f</a><br><br>[5] How to quickly setup SSL certificate on Unifi Cloud Key<br><br>Link: <a href="https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63">https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63</a><br><br>[6] Unable to import the certificate into keystore<br><br>Link: <a href="https://community.ui.com/questions/Unable-to-import-the-certificate-into-keystore/c9a42223-1d36-40bf-954a-059508d52263">https://community.ui.com/questions/Unable-to-import-the-certificate-into-keystore/c9a42223-1d36-40bf-954a-059508d52263</a><br><br>However, only 2 reference guides worked for me. They are:<br><br>[A] How to quickly setup SSL certificate on Unifi Cloud Key (Java method)<br><br>Link: <a href="https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63">https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63</a><br><br>[B] Unable to import the certificate into keystore<br><br>Link: <a href="https://community.ui.com/questions/Unable-to-import-the-certificate-into-keystore/c9a42223-1d36-40bf-954a-059508d52263">https://community.ui.com/questions/Unable-to-import-the-certificate-into-keystore/c9a42223-1d36-40bf-954a-059508d52263</a><br><br>I shall detail my attempts at following the instructions below. It is not possible to install SSL certificate in the UniFi Cloud Key using Web GUI at all. The only way to do it is through the Command Line Interface (CLI). There is no other way out.<br><br>1st Attempt FAILED - following the guide at <a href="https://www.ssldragon.com/blog/install-ssl-certificate-on-unifi-cloud-key/">https://www.ssldragon.com/blog/install-ssl-certificate-on-unifi-cloud-key/</a><br>======================================================================================================================<br><br>openssl genrsa -out /etc/ssl/private/cloudkey.key 2048<br><br>openssl req -new -batch \<br>-subj "/C=SG/ST=Singapore/L=Singapore <br>/O=Teo-En-Ming-Corporation/OU=IT/CN=<a href="http://cloudkey.teo-en-ming-corp.com">cloudkey.teo-en-ming-corp.com</a> <br>/emailAddress=<a href="mailto:ceo@teo-en-ming-corp.com">ceo@teo-en-ming-corp.com</a>" \<br>-key /etc/ssl/private/cloudkey.key \<br>-out /etc/ssl/private/cloudkey.csr<br><br>Upload the primary SSL certificate cloudkey.crt to /root<br><br>cp /root/cloudkey.crt /etc/ssl/private/<br><br>openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey /etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name unifi -password pass:temppass<br><br>keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi<br><br>Importing keystore /etc/ssl/private/cloudkey.p12 to /usr/lib/unifi/data/keystore...<br>Existing entry alias unifi exists, overwrite? [no]:  yes<br><br>Warning:<br>The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/lib/unifi/data/keystore -destkeystore /usr/lib/unifi/data/keystore -deststoretype pkcs12".<br><br>keytool -importkeystore -deststorepass temppass -destkeypass temppass -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi<br>Importing keystore /etc/ssl/private/cloudkey.p12 to /usr/lib/unifi/data/keystore...<br>keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect<br><br>mkdir /root/backup<br><br>mv cloudkey.csr /root/backup/<br><br>mv cloudkey.p12 /root/backup/<br><br>tar -cvf cert.tar *<br><br>chown root:ssl-cert /etc/ssl/private/*<br><br>chmod 640 /etc/ssl/private/*<br><br>apt-get install nano<br><br>cp /etc/default/unifi /root/backup/<br><br>nano /etc/default/unifi<br><br>UNIFI_SSL_KEYSTORE=/etc/ssl/private/unifi.keystore.jks<br><br>cd /etc/ssl/private<br><br>cp cloudkey.crt /usr/lib/unifi/<br><br>cd /root<br><br>cp gd_bundle-g2-g1.crt /usr/lib/unifi/<br><br>cd /usr/lib/unifi<br><br>root@Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar import_cert cloudkey.crt gd_bundle-g2-g1.crt<br>Unable to import the certificate into keystore<br>root@Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar import_cert cloudkey.crt<br>Unable to import the certificate into keystore<br><br>cd /root/backup/<br><br>cp cloudkey.p12 /usr/lib/unifi<br><br>cd /usr/lib/unifi<br><br>root@Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar import_cert cloudkey.p12<br>Unable to import the certificate into keystore<br><br>cp /usr/lib/unifi/data/keystore /root/backup/<br><br>rm /usr/lib/unifi/data/keystore<br><br>cd /usr/lib/unifi<br><br><br>2nd Attempt FAILED - following the guide at <a href="https://gist.github.com/jrotello/18ab3e1982d46b04a269dfbc63aa097f">https://gist.github.com/jrotello/18ab3e1982d46b04a269dfbc63aa097f</a><br>==============================================================================================================<br><br>cd /root<br><br>cp cloudkey.pem /etc/ssl/private/<br><br>openssl pkcs12 \<br>       -export \<br>     -inkey /etc/ssl/private/cloudkey.key \<br>        -in /etc/ssl/private/cloudkey.crt \<br>   -out /etc/ssl/private/cloudkey.p12 \<br>  -name unifi -password pass:temppass<br><br>keytool \<br>      -importkeystore \<br>     -deststorepass aircontrolenterprise \<br> -destkeypass aircontrolenterprise \<br>   -destkeystore /etc/ssl/private/unifi.keystore.jks \<br>   -srckeystore /etc/ssl/private/cloudkey.p12 \<br>  -srcstoretype PKCS12 \<br>        -srcstorepass temppass \<br>      -alias unifi<br><br>Importing keystore /etc/ssl/private/cloudkey.p12 to /etc/ssl/private/unifi.keystore.jks...<br><br>Warning:<br>The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /etc/ssl/private/unifi.keystore.jks -destkeystore /etc/ssl/private/unifi.keystore.jks -deststoretype pkcs12".<br><br>cd /etc/ssl/private/<br><br>cp cloudkey.pem cloudkey.crt<br><br>tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks<br><br>cp /root/backup/unifi /etc/default/unifi<br><br>UNIFI_SSL_KEYSTORE=/etc/ssl/private/unifi.keystore.jks<br><br>root@Teo-En-Ming-Corporation:/srv/unifi/logs# grep -i cert server.log<br>[2022-10-25T13:29:06,654] <launcher> ERROR system - Unable to parse cert gd_bundle-g2-g1.crt<br>[2022-10-25T13:29:06,683] <launcher> ERROR system - Unable to parse cert cloudkey.crt<br>[2022-10-25T13:29:06,687] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T13:29:35,267] <launcher> ERROR system - Unable to parse cert cloudkey.crt<br>[2022-10-25T13:29:35,302] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T13:31:42,830] <launcher> ERROR system - Unable to parse cert cloudkey.p12<br>java.security.cert.CertificateParsingException: signed fields invalid<br>        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1842) ~[?:1.8.0_332]<br>        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) ~[?:1.8.0_332]<br>        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102) ~[?:1.8.0_332]<br>        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) ~[?:1.8.0_332]<br>[2022-10-25T13:31:42,867] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T13:34:58,933] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T14:12:57,061] <launcher> INFO  system - Generating Certificate[UniFi]... please wait...<br>[2022-10-25T14:12:58,665] <launcher> INFO  system - Certificate[UniFi] generated!<br><br><br>3rd Attempt - JAVA method - following the guide at <a href="https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63">https://community.ui.com/questions/How-to-quickly-setup-SSL-certificate-on-Unifi-Cloud-Key/d991c17f-d7e0-4778-be83-f2a91c47bc63</a><br>===================================================================================================================================================================================<br><br>java -jar lib/ace.jar new_cert <a href="http://cloudkey.teo-en-ming-corp.com">cloudkey.teo-en-ming-corp.com</a> Teo-En-Ming-Corporation Singapore Singapore SG<br><br>java -jar lib/ace.jar import_cert <signed_cert> <intermediate_root_cert1> <intermediate_root_cert2> <intermediate_root_cert3><br><br>root@Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar import_cert 94d3a5414bcb5742.crt 94d3a5414bcb5742.pem gd_bundle-g2-g1.crt<br>Unable to import the certificate into keystore<br><br>root@Teo-En-Ming-Corporation:/usr/lib/unifi/logs# grep -i cert server.log<br>[2022-10-25T13:29:06,654] <launcher> ERROR system - Unable to parse cert gd_bundle-g2-g1.crt<br>[2022-10-25T13:29:06,683] <launcher> ERROR system - Unable to parse cert cloudkey.crt<br>[2022-10-25T13:29:06,687] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T13:29:35,267] <launcher> ERROR system - Unable to parse cert cloudkey.crt<br>[2022-10-25T13:29:35,302] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T13:31:42,830] <launcher> ERROR system - Unable to parse cert cloudkey.p12<br>java.security.cert.CertificateParsingException: signed fields invalid<br>        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1842) ~[?:1.8.0_332]<br>        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) ~[?:1.8.0_332]<br>        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102) ~[?:1.8.0_332]<br>        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) ~[?:1.8.0_332]<br>[2022-10-25T13:31:42,867] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T13:34:58,933] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T14:12:57,061] <launcher> INFO  system - Generating Certificate[UniFi]... please wait...<br>[2022-10-25T14:12:58,665] <launcher> INFO  system - Certificate[UniFi] generated!<br>[2022-10-25T15:09:17,326] <launcher> INFO  system - Generating Certificate[<a href="http://cloudkey.teo-en-ming-corp.com">cloudkey.teo-en-ming-corp.com</a>]... please wait...<br>[2022-10-25T15:09:18,596] <launcher> INFO  system - Certificate[<a href="http://cloudkey.teo-en-ming-corp.com">cloudkey.teo-en-ming-corp.com</a>] generated!<br>[2022-10-25T15:17:54,306] <launcher> ERROR system - Unable to parse cert 94d3a5414bcb5742.pem<br>[2022-10-25T15:17:54,332] <launcher> ERROR system - Unable to parse cert gd_bundle-g2-g1.crt<br>[2022-10-25T15:17:54,336] <launcher> ERROR system - Unable to parse cert 94d3a5414bcb5742.crt<br>[2022-10-25T15:17:54,339] <launcher> ERROR system - Unable to import the signed certficate<br>root@Teo-En-Ming-Corporation:/usr/lib/unifi/logs#<br><br>root@Teo-En-Ming-Corporation:/usr/lib/unifi#  java -jar lib/ace.jar import_cert 94d3a5414bcb5742.crt<br>Unable to import the certificate into keystore<br>root@Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar import_cert 94d3a5414bcb5742.pem<br>Unable to import the certificate into keystore<br>root@Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar import_cert gd_bundle-g2-g1.crt<br>Unable to import the certificate into keystore<br><br>root@Teo-En-Ming-Corporation:/usr/lib/unifi/logs# grep -i cert server.log<br>[2022-10-25T13:29:06,654] <launcher> ERROR system - Unable to parse cert gd_bundle-g2-g1.crt<br>[2022-10-25T13:29:06,683] <launcher> ERROR system - Unable to parse cert cloudkey.crt<br>[2022-10-25T13:29:06,687] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T13:29:35,267] <launcher> ERROR system - Unable to parse cert cloudkey.crt<br>[2022-10-25T13:29:35,302] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T13:31:42,830] <launcher> ERROR system - Unable to parse cert cloudkey.p12<br>java.security.cert.CertificateParsingException: signed fields invalid<br>        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1842) ~[?:1.8.0_332]<br>        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) ~[?:1.8.0_332]<br>        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102) ~[?:1.8.0_332]<br>        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) ~[?:1.8.0_332]<br>[2022-10-25T13:31:42,867] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T13:34:58,933] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T14:12:57,061] <launcher> INFO  system - Generating Certificate[UniFi]... please wait...<br>[2022-10-25T14:12:58,665] <launcher> INFO  system - Certificate[UniFi] generated!<br>[2022-10-25T15:09:17,326] <launcher> INFO  system - Generating Certificate[<a href="http://cloudkey.teo-en-ming-corp.com">cloudkey.teo-en-ming-corp.com</a>]... please wait...<br>[2022-10-25T15:09:18,596] <launcher> INFO  system - Certificate[<a href="http://cloudkey.teo-en-ming-corp.com">cloudkey.teo-en-ming-corp.com</a>] generated!<br>[2022-10-25T15:17:54,306] <launcher> ERROR system - Unable to parse cert 94d3a5414bcb5742.pem<br>[2022-10-25T15:17:54,332] <launcher> ERROR system - Unable to parse cert gd_bundle-g2-g1.crt<br>[2022-10-25T15:17:54,336] <launcher> ERROR system - Unable to parse cert 94d3a5414bcb5742.crt<br>[2022-10-25T15:17:54,339] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T15:20:15,236] <launcher> ERROR system - Unable to parse cert 94d3a5414bcb5742.crt<br>[2022-10-25T15:20:15,264] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T15:20:45,584] <launcher> ERROR system - Unable to parse cert 94d3a5414bcb5742.pem<br>[2022-10-25T15:20:45,612] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T15:21:08,616] <launcher> ERROR system - Unable to parse cert gd_bundle-g2-g1.crt<br>[2022-10-25T15:21:08,649] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T15:24:38,437] <launcher> ERROR system - Unable to parse cert 94d3a5414bcb5742.crt<br>[2022-10-25T15:24:38,463] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T15:25:33,473] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T15:25:54,484] <launcher> ERROR system - Unable to import the signed certficate<br>[2022-10-25T15:26:15,505] <launcher> ERROR system - Unable to import the signed certficate<br><br>4th and FINAL ATTEMPT - SUCCESS (using Java method)<br>=====================================================<br><br>root@Teo-En-Ming-Corporation:/usr/lib/unifi# java -jar lib/ace.jar import_cert 94d3a5414bcb5742.crt gd_bundle-g2-g1.crt<br>parse gd_bundle-g2-g1.crt (PEM, 3 certs):<br>    found [Go Daddy Secure Certificate Authority - G2]<br>    found [Go Daddy Root Certificate Authority - G2]<br>    found [OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US]<br>parse 94d3a5414bcb5742.crt (PEM, 1 certs): <a href="http://cloudkey.teo-en-ming-corp.com">cloudkey.teo-en-ming-corp.com</a><br>Importing signed cert[<a href="http://cloudkey.teo-en-ming-corp.com">cloudkey.teo-en-ming-corp.com</a>]<br>... issued by [Go Daddy Secure Certificate Authority - G2]<br>... issued by [Go Daddy Root Certificate Authority - G2]<br>... issued by [OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US]<br>Certificates successfuly imported. Please restart the UniFi Network application.<br><br># service unifi start<br><br>Please note that our UniFi Cloud Key Gen 2 Plus is a standalone device. It is not an UniFi Controller at all.<br><br>When I say I have gotten partial success, it is because the Godaddy SSL certificate was installed for HTTPS port 8443. As you all know, 8443 is the standard port for the UniFi Controller.<br><br>Godaddy SSL certificate was NOT installed for HTTPS port 443 at all. In other words, the Godaddy SSL certificate was NOT installed for<br><a href="https://cloudkey.teo-en-ming-corp.com">https://cloudkey.teo-en-ming-corp.com</a><br><br>The Godaddy SSL certificate was installed for <a href="https://192.168.90.2:8443">https://192.168.90.2:8443</a> instead. We can view the SSL certificate details below.<br><br>SSL Certificate details<br>=======================<br><br>Issued To<br><br>Common Name (CN)               <a href="http://cloudkey.teo-en-ming-corp.com">cloudkey.teo-en-ming-corp.com</a><br><br>Issued By<br><br>Common Name (CN)         Go Daddy Secure Certificate Authority - G2<br>Organization (O)            GoDaddy.com, Inc.<br>Organizational Unit (OU)     <a href="http://certs.godaddy.com/repository">http://certs.godaddy.com/repository</a><br><br>Validity Period<br><br>Issued On                     Tuesday, October 25, 2022 at 3:12:39 PM<br>Expires On                     Wednesday, October 25, 2023 at 3:12:39 PM<br><br>As you can see from the above certificate details, the Godaddy SSL certificate was correctly installed for <a href="https://192.168.90.2:8443">https://192.168.90.2:8443</a><br><br>However, when we try to access <a href="https://cloudkey.teo-en-ming-corp.com:8443">https://cloudkey.teo-en-ming-corp.com:8443</a>, it says that SSL Protocol is not supported. Something like that. I can't remember the exact error message.<br><br>I guess this happens because there is no UniFi Controller running at HTTPS port 8443. Only the standalone UniFi Cloud Key UniFi OS is running at HTTPS port 443.<br><br>Also, I guess that the correct/default location for the Java Keystore is /usr/lib/unifi/data/keystore<br><br>It should not be located at /etc/ssl/private/unifi.keystore.jks<br><br>Please advise.<br><br>Thank you very much.<br><br>Regards,<br><br>Mr. Turritopsis Dohrnii Teo En Ming<br>Targeted Individual in Singapore<br>Blogs:<br><a href="https://tdtemcerts.blogspot.com">https://tdtemcerts.blogspot.com</a><br><a href="https://tdtemcerts.wordpress.com">https://tdtemcerts.wordpress.com</a><br></div>