This one was a bit of a pain. I’m assuming that you’ve generated the key, the CSR, sent that off to your CA (or signed it yourself), and received the certificate. You’ve also converted the certificate to DER format if necessary, since you’re familiar with openssl.

 

Here’s the steps I had to go through to import the certificate and the key:

  1. Break out openssl and convert the certificate to PKCS12 format – openssl pkcs12 -export -in <signed server certificate> -inkey <private key> -CAfile <signing certificate> -out <PKCS12 certificate filename> -passout pass:aircontrolenterprise -caname root -name unifi – the “name” parameter is important as that’ll be used in the keystore. Don’t think you can skip any of these parameters to save time, you’ll just get errors later on. It’s quite finicky.
  2. Back up the keystore – by default it is at /usr/lib/unifi/data/keystore – copy it to keystore.old or something like that.
  3. Import the key from your PKCS12 cert into the keystore (change directory to /usr/lib/unifi/ before running this command) – keytool -importkeystore -srckeystore <PKCS12 certificate filename> -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore data/keystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -alias unifi -trustcacerts
  4. Import the certificates you prepared earlier in DER format – java -jar lib/ace.jar import_cert <signed server certificate> <signing certificate>
  5. Grab a beer because you’re all done