Reply
Highlighted
Ubiquiti Employee
Posts: 11,885
Registered: ‎02-10-2014
Kudos: 3987
Solutions: 953
Contributions: 17

Custom SSL Certificates in 3.8.1 and beyond

[ Edited ]

Importing custom certificates in UFV 3.8.1 or later (experimental)

 

NOTE: The UniFi Video Controller now utilizes separate certificates for browser connections and camera connections. So the instructions for installing a custom web application certificate have changed.

 

 


 

IF YOU’RE RUNNING A UFV VERSION PRIOR 3.8.0 AND HAVE ALREADY INSTALLED A CUSTOM CERTIFICATE

 

Remove the web application keystore/truststore files from the UniFi Video working directory (/usr/lib/unifi-video on Linux or C:\ProgramData\unifi-video on Windows) prior to upgrade. Specifically, remove:

 

  • data/keystore
  • data/ufv-truststore
  • conf/evostream/server.*

Then, update UFV and follow the instructions below

 

 

 


 

IF YOU ARE INSTALLING A CUSTOM CERTIFICATE ON UNIFI VIDEO 3.8.1 FOR THE FIRST TIME (OR ARE REINSTALLING A CUSTOM CERT)

 

Stop the unifi-video service

 

Remove the keystore/truststore files from the ufv working directory (/usr/lib/unifi-video on Linux or C:\ProgramData\unifi-video on Windows)

 

  • data/keystore
  • data/ufv-truststore
  • conf/evostream/server.*

Copy your key and cert files into certificates folder under the UniFi Video working directory:

 

      • data/certificates/ufv-server.cert.der (X509 DER-encoded cert file)
      • data/certificates/ufv-server.key.der (RSA PKCS8 DER-encoded private key file)

Linux only: Change the permissions for the newly created folder and files within:

 

  • chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates

In data/system.properties add this line:

 

 

  • ufv.custom.certs.enable=true

Start the unifi-video service

 

    • When the controller detects the ufv.custom.certs.enable flag is set and the cert/key files are present it will load these in a new web application keystore instead of generating its own. The cert/key files in the certificates folder are removed, once imported in the key store.
    • The unifi-video controller will now use your provided certificate and key for the web application

 

 


 

IF YOU’RE RUNNING UFV 3.8.0 OR NEWER AND HAVE ALREADY INSTALLED A CUSTOM CERTIFICATE

 

Note: While most camera operations will work when using a custom certificate for camera communication, it is not recommended - and may cause issues with later versions of UniFi Video.

 

  1. Unmanage all the cameras currently managed by the UniFi Video controller
    • UFV 3.8.0 cameras maintain a copy of the controller's certificate for mutual authentication. Managed cameras need to be unmanaged to remove the copy of the controller's certificate.
  2. Remove the camera connection certificate keystore:
    • data/cam-keystore
  3. Run through the IF YOU ARE INSTALLING A CUSTOM CERTIFICATE ON UNIFI VIDEO 3.8.1 FOR THE FIRST TIME (OR ARE REINSTALLING A CUSTOM CERT) process
  4. The unifi-video controller will generate a new self-signed cert for use by the camera connections and for mutual authentication
  5. Re-manage the cameras that were unmanaged in Step 1
    • The camera and controller will re-exchange certificates in order to re-establish mutual authentication

 

 

Please keep in mind that this is an experimental feature and thus, may not work in 100% of scenarios.  If you run into an issue, please search to see if someone else has run into this scenario and post on that thread if applicable.  If you do not find a thread with similar symptoms, please post a new thread and we'll address it.best we can.


Many Questions are Answered in the KnowledgeBase
Don't forget to kudo helpful posts and mark threads as solved
Forum Rules
Reply