Update:
As of Jan 6th, 2025. Ubiquiti now allows user to upload custom SSL/TLS certificates through WebUI (UniFi OS v4.1). I do not see any documentation on where the certificate and key would be stored in the actual console, so for now, we might need to update them manually.
To upload new certificate, you will need to create two files (in PEM format):
1. Certificate bundle (Bundle certificate up to the intermediate chain, not including root store
2. Certificate key
You can navigate to network/default/settings/control-plane/console
, there is a new entry called “Certificates”
Click on that would bring up a prompt that request you to provide a name and upload the two files.
Once you uploaded the certificate, you will be able to activate it
You could also click on Add New to upload more certificates, or click on Manage then check the box on the left to remove a certificate (The remove button would only be visible after you checked at least one entry.
Now, I will use this while waiting for Ubiquiti to officially support updating certificates through cli. Might update this article if that happen, might not.
Original article:
As a Ubiquiti equipment owner, like many others I wanted to use my Unifi devices locally and that would need a custom ssl/tls cert to bypass the unknown certificate / self-signed warning issue, especially when the domain has HSTS.
Because Ubiquiti currently does not allow you to upload certificate through Unifi Portal, you will need to be a bit more creative and install it through ssh. It is not officially supported, so the experiences are YMMV and heavily depends on the OS version.
For UDM OS v1/v2, I have been using the guide from Scott Helme: https://scotthelme.co.uk/setting-up-https-on-the-udm-pro/ & https://scotthelme.co.uk/setting-up-https-on-the-unifi-nvr/
Unfortunately, UDM OS v3/v4 introduced breaking changes and the comment used before to restart service now also regenerate the SSL cert to self-signed and override any existing certs.
After spending few days digging on Unifi forum, I noticed this issue: https://community.ui.com/questions/Custom-certs-no-longer-possible-on-UDMP-with-3-2-9/4e42e6f5-96fb-42c6-bcc1-6662f52103ae#answer/d0b43549-31cf-4e77-95d2-d93c6e0c537c
Since Ubiquiti changed the command, it now needs to use systemctl restart nginx
to restart the service without overriding config. I think this will be overridden after reboot or system upgrade, we shall see. Hopefully Ubiquiti would provide an official way to upload certificate and key so I could stop suffering lol