How to generate a CSR code using Ubiquiti Unifi

A Certificate Signing Request (CSR) is a block of code you need to submit during SSL activation. It features information about you and/or your company and your domain name.

• CSR Generation on UDM-base
• CSR Generation on UDM-pro

CSR Generation on UDM-base

To generate a CSR on UDM-base, you’ll need to use an older process with a few standard commands:

1. Use the required command prompt to connect to your server where the controller is located.
   
   • Use Putty or a similar application for Linux- or Windows-based machines
   • Use Terminal on MacOS
   • Connect to a Windows server via remote desktop (if necessary) and run cmd or PowerShell

     PLEASE NOTE: On Windows, make sure you start the application with administrator rights. On Linux/MacOS, you should have either root or sudo user access
     On Windows, get administrator rights by right-clicking the program icon and then clicking the option, Run as administrator. Alternatively, you can select:
     Properties > Compatibility > Run this program as an administrator > OK.
     On Linux-based systems you can enable sudo access by run:
     sudo su –

2. Access the UDM files by opening the UniFi shell:

   unifi-os shell

3. Head to the main folder in the UniFi controller by running:

   cd /usr/lib/unifi/

4. Create the CSR code by running:

   java -jar lib/ace.jar new_cert example.com “Company name” “Locality” “State” CC

   
   Where:
   • you replace example.com with your domain or subdomain for UniFi (the certificate’s common name);
   • you replace “Company name” with your business name or NA (Not Applicable);
   • you replace “Locality”, with your city, town, or another locale;
   • you replace “State”, with your state, or province, or the same name you used for “Locality”;
   • for “CC” (country code), use the relevant 2-letter country code for your country, which you can find here.
     

     TIP: If you need to use more than one word for any values, you should put them in quotation marks. If you don’t, UniFi will consider the second word of a value to belong to the next value. Furthermore, it won’t show you any errors if this happens.

     PLEASE NOTE: If you need to generate a Wildcard (an SSL that contains a subdomain name like *.example.com) CSR on UniFi, the subdomain specified in the host value will be placed in the Organization unit field of the CSR. This may cause an issue for activating an SSL in some systems. Our system accepts CSR codes with the same Wildcard common name and “Organization unit” field, so this will not be an issue if you’re activating your SSL with us.
     

     
     When you’re done, you’ll find the generated CSR file called unifi_certificate.csr.pem in the data subfolder of the UniFi base folder.

5. Use this command to open the CSR file:

   cat /data/unifi_certificate.csr.pem

   
   

   PLEASE NOTE: You can find the Private key for the certificate in the default UniFi keystore: /data/keystore/ (or keystore, depending on the system).
   When you activate your certificate, you’ll need to use the text code from the Private key file.

Footnotes:
If you use the option “Auto-activate” during the SSL activation, this whole process can be skipped. However, it will require a specific installation process.
As a general rule, for UniFi on Windows the “Auto-activate” option may be more convenient, while in other cases it is easier to use the CSR created on UniFi.

CSR Generation on UDM-pro

There isn’t a Certificate Signing Request (CSR code) creation option on UDM-pro. As a result, you’ll need to generate the CSR using an online tool or the OpenSSL command, which we’ll discuss later. Before you can install your SSL on the server, you’ll need to configure the UDM server hostname. 

To an install an SSL on UDM-Pro, you need to place SSL files in a specific folder called /mnt/data/unifi-os/unifi-core/config/. The system can only create this folder when a user edits the server settings to specify the UDM server hostname. That’s why you must change your hostname to create the specific folder with the default files generated. You’ll be able to replace those files with your SSL later by updating the files’ names. 

Edit your UDM hostname by:

1. Connecting to your UDM-pro interface.
2. Go to Settings >> Controller Settings >> Advanced Configuration.
3. Enter your domain or subdomain and save the changes.

When this is done, the system will automatically generate a Private key and a self-signed certificate in the aforementioned folder, /mnt/data/unifi-os/unifi-core/config/. But, as stated before, it will not generate a CSR code along with the certificate and Private key files. 

You will need a CSR code to activate your SSL, so we recommend using one of these options to make it: 

• An OpenSSL command:
  openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
• Our online tool or something similar;
• Using the “Generate CSR in-browser” option during SSL activation.

When creating the CSR, make sure to copy the code, including the header and footer tags, to utilize it when activating your SSL. 

IMPORTANT: Don’t delete or forget to save the Private key that is created simultaneously!