How to generate a CSR code using Ubiquiti Unifi

  CSR generation instructions

To get an SSL certificate, a Certificate Signing Request (CSR) code is required.

On UniFi controller software, a CSR code is generated along with the default UniFi keystore. Follow these steps to generate the keystore:

Step 1: First, connect to the server where the controller is installed with the help of the appropriate command prompt.

    1. For Linux-based servers, multiple command prompt (SSH) applications exist. The most common one is Putty. There are versions of Putty for each server type, including Linux servers and Windows servers, as well as the multiple analogues for Android.
    2. For MacOS, use the Terminal application.
    3. For Windows servers, you can connect via remote desktop and use either cmd or PowerShell.

Note: Run all further commands with administrator rights (on Windows) or under the root or sudo user (on Linux/MacOS):

  1. To run commands with administrator rights on a Windows server, right-click on the program icon and choose the option Run as administrator. Alternatively, you can click Properties -> Compatibility -> Mark the optionRun this program as an administrator’ -> confirm (OK).
  2. On Linux-based systems, run sudo su – to set up the required access, or you can start each command with sudo.

Step 2: Generate the CSR code, using the following command:

java -jar *UniFi root*/lib/ace.jar new_cert “Company” “Location (city)” “State or province” “Country code”
(for Linux/Mac OS)


java -jar “*UniFi root*\lib\ace.jar” new_cert “Company” “Location (city)” “State or province” “Country code”
(for Windows)

    1. Type your actual domain or subdomain for UniFi (the certificate common name) instead of
      Use something like * for wildcard type certificate.
    2. Company: enter your company name. If you have an Organization or Extended Validation certificate, Certificate Authorities will verify the company information supplied in the CSR code. Domain Validation SSLs don’t have company information embedded into their code. If you are using a DV certificate and don’t have a company, you can just enter N/A.
    3. Location (city): enter your city or locality.
    4. State or province: enter your state or region.
    5. Country: enter the appropriate 2-letter country code from this list.

Important: If any of the CSR values have more than one word, put them in quotation marks (“). Otherwise, the second word will be moved to the value of the next field, which may invalidate the CSR. However, it should be noted that the server will not show an error message if this happens.

Note: The *UniFi root* depends on the system you have UniFi controller installed on:

  1. /usr/lib/unifi/ (for UniFi Cloud Key, Ubuntu, and other Debian-based Linux distributions);
  2. /opt/unifi/ (for CentOS, RedHat, Fedora, and other RHEL Linux distributions)’;
  3. ~/Library/Application Support/UniFi (for Mac OS);
    “%USERPROFILE%/Ubiquiti Unifi” or (which is the same) “C:\Users\*account username*\Ubiquiti UniFi” (for Windows).

Useful tip: Alternatively, open the UniFi root folder first, using the command cd *Unifi root*, and then run the CSR generation command in it. This way you won’t need to specify the full path in the command itself.

You will then receive two files: unifi_certificate.csr.pem and unifi_certificate.csr.der in the /*Unifi root*/data folder. The second file has different formatting and is not used normally.

The text code from the unifi_certificate.csr.pem file can be used for the SSL activation.

Important: Instead of a Private key, UniFi creates a keystore file named keystore in /*UniFi root*/data/ (or simply *UniFi root*  on some systems), to which you will only need to upload the certificate files after the issuance.

Step 3: To open the file and extract the text code, do one of the following:

  1. On Linux, you can use the command: cat /*UniFi root*/data/unifi_certificate.csr.pem
  2. On Mac OS, you can do the same, or go to the data subfolder -> right-click on the unifi_certificate.csr.pem file -> Open with -> choose TextEdit.
  3. On Windows, go to the data subfolder -> right-click on unifi_certificate.csr.pem-> Open with -> choose Notepad.
  4. Alternatively, you can just use the command:
    notepad “*UniFi root*/data/unifi_certificate.csr.pem


If you use the optionAuto-activateduring the SSL activation, this whole process can be skipped. However, it will require a specific installation process.

As a general rule, for UniFi on Windows theAuto-activateoption may be more convenient, while in other cases it is easier to use the CSR created on UniFi.

Generating a CSR on UDM-Pro

On UniFi Dream Machine Professional (UDM-Pro), you need to specify the controller hostname to prepare your server for SSL installation. 

To do this, please open the controller interface and specify the hostname for your UniFi admin page: Settings >> Controller Settings >> Advanced Configuration >> Enter the desired subdomain or domain and save the changes.

Please note that this will create a self-signed certificate and Private key file automatically. However, the certificate signing request (CSR) file will not be available for your use, you’ll just get a self-signed SSL installed on the server. 

Because you’ll need a CSR file to activate your trusted SSL, we recommend using one of the following options to generate it: our “Generate CSR in-browser” option available during SSL activation; an OpenSSL command; or generating the code in this online tool.