making a symlink back in the user profile location makes it easy to do updates in the future. that way you don't have to copy the folder back and forth to the user profile location.
@@xcharg nope. the installer only looks in the user profile for the program. having the program in the user profile is incredibly short sighted of ubnt and against best practices for most any server piece of software.
Thanks! For those having issues with unable to import certificate to keystore: please make sure that the content of the certificate files are on 1 line only!
Great video, helped heaps. You can fix the bundle issue by re-issuing your certificate and selecting windows based machine, then you get all 4 cert files.
One of the tricks I found with installing the UniFi controller to a "better" location (I use C:\UniFi), put a hard link from where it originally installed under your user account to the real destination to make future updates go smoothly.
In order for this to work, you have to break out each cert from the bundle file into their own .crt files. You also have to make sure there are no whitespaces, the cert files should be one single long line, otherwise you will get a Unable to import the certificate into keystore" error.
Had the cert problem on my AWS controller, the work around for me was to download the Windows / Java Tomcat Server ones. It included all the certs I needed. The Apache one gave the .bundle files
Willie, thanks for another fantastic video. I am now good to go on this part of the SSL cert on my windows controller. I'm also using my controller to redirect guests to the guest portal, and I notice that the SSL cert is not applied to that function of the controller. Any idea how this is done?
"Unable to import the certificate into keystore" unifi version 5.10.20 installed on Windows server 2016. Tried everything. Using Godaddy Cert. Any suggestions? @willeHowe
I downloaded the comodo certs from comodo but they won't work. "Unable to import the certificate into the keystore" idk if cert problem or something else
With the ability to run Linux stuff on Windows by enabling the dev option, I wonder if it's possible to run the Linux controller on Windows and if it would be more stable than the native Windows version?
Got mine working. Had to make a new keystore and get my cert reissued following these steps... I recently had similar problems with replacing the self-signed SSL cert included with the Unifi software, but I was able to overcome them. This is the exact solution I used, and it worked for me. There were several clues on this thread that lead me to the solution. I am not trying to take credit for anyone elses work above, they just were complete enough for me in my situation so I thought others may be in the same boat. ***BACKUP YOUR UNIFI INSTALL BEFORE PROCEEDING*** 1. I'm running the controller on a Windows VM 2. I tried using the process defined in the Wiki to generate the CSR and import the CRT (and chain). Everything ran without error, so I restarted the controller software...leaving me unable to access the UI anymore at all. 3. I restored the %UNIFI_BASE%\data\keystore file from an earlier backup, restarted the controller software, and then the UI came back up with the old self-signed cert. 4. SOLUTION STARTS HERE 5. Download "Keystore Explorer" (like someone else here recommended). 6. Download "DigiCertUtil". 7. Run the DigiCert Util first, create a CSR and save it. 8. Use the CSR just created to go buy a legit cert. 9. Import your new cert into the DigiCert Util. 10. Export the cert, including the private key, using the "key file (Apache compatible format)" option. 11. Open up Keystore Explorer, and open up the "%UNIFI_BASE%\data\keystore" file. Use "aircontrolenterprise" as the password. 12. From the "Tools" menu, choose "Import Key Pair". The default option of PKCS #12 should be fine. OPEN SSL 13. Use "aircontrolenterprise" as the Decryption Password, and browse to the location of the file you created in Step 10. 14. When Prompted for a "New Key Pair Alias", change it to simply "unifi" and click OK. 15. You will be prompted to overwrite the existing alias. Go ahead and click "Yes". 16. From the File menu, choose Save. 17. Close Keystore Explorer 18. Restart the Unifi software 19. You should be all set now.
@@robertkoss1952 Thank you very much for these instructions. EXTREMELY helpful. I used the Open SSL option in step 12 and unchecked the "Encrypted private key" check box option to get it to import. Much appreciated!!
@@robertkoss1952 Does not work. At Step 13, it states "Could not load the PKCS #12 file" with details of "Could not load KeyStore as type 'PKCS12' Selecting Open SSL as someone else suggested requires you to pick a key and a cert. I picked my crt file doing it this way as the cert but the certificate is invalid and browser states NET::ERR_CERT_AUTHORITY_INVALID
I have a hosted Windows VM (that I don't pay for due to credits) and I have mine hosted on it. No spare Linux hosts unless I pay for one and I don't want it bundled up with something else...
For anyone getting 'Unable to import the certificate into keystore', it's because the certificates you're importing (that were provided from the CA) aren't in .DER format and java doesn't like it. The easiest way to resolve in Windows, is double click each .CRT file (from the ZIP you got) to import into Windows certificates console. Then, run mmc.exe, add Certificates snap-in, computer account, local computer, then browse to each of the certificates that you imported (open the cert to match the name if you need to confirm). The main cert will be under Personal \ Certificates, the others under trusted root or intermediate cert authorities nodes. For each certificate, right click, All Tasks and Export as a DER encoded binary file (I simply did each of mine as a.cer, b.cer, c.cer and so on) then go back to cmd prompt and run the same java command again to import the (exported) a.cer, b.cer c.cer etc DER encoded files.
Well thanks that got me closer. I had the certs in my Windows 10 computer, exported the wildcard cert and the three GoDaddy certs as .DER files and the import was successful. Unfortunately once I restarted the unifi controller it kept giving me an invalid response. I'm thinking that it does not support a wildcard cert. Once I rolled back the keystore, everything was back to what it was before, which was using the old certificate which has expired. @Willie Howe - any suggestions?
making a symlink back in the user profile location makes it easy to do updates in the future. that way you don't have to copy the folder back and forth to the user profile location.
wouldn't update process just work in program files folder?
@@xcharg nope. the installer only looks in the user profile for the program. having the program in the user profile is incredibly short sighted of ubnt and against best practices for most any server piece of software.
Thanks! For those having issues with unable to import certificate to keystore: please make sure that the content of the certificate files are on 1 line only!
What do you mean? Elaborate?
Great video, helped heaps. You can fix the bundle issue by re-issuing your certificate and selecting windows based machine, then you get all 4 cert files.
Great video, extremely helpful. Only difference I had was to remove the spaces at the end of each line and worked perfectly. Thanks for creating this.
did you need comodo files ?
One of the tricks I found with installing the UniFi controller to a "better" location (I use C:\UniFi), put a hard link from where it originally installed under your user account to the real destination to make future updates go smoothly.
Where can I get that comodo files?
Great to see the videos again. I am a convert of Windows Server content. Thanks my friend.
In order for this to work, you have to break out each cert from the bundle file into their own .crt files. You also have to make sure there are no whitespaces, the cert files should be one single long line, otherwise you will get a Unable to import the certificate into keystore" error.
Thank you!!
it was not help me . I get same error again each time
Had the cert problem on my AWS controller, the work around for me was to download the Windows / Java Tomcat Server ones. It included all the certs I needed. The Apache one gave the .bundle files
That was my thought too...
Love the intro before your real intro lol 😂
Willie, thanks for another fantastic video. I am now good to go on this part of the SSL cert on my windows controller.
I'm also using my controller to redirect guests to the guest portal, and I notice that the SSL cert is not applied to that function of the controller. Any idea how this is done?
thank you for forfilling my request for a few months back thank you willie :-)
"Unable to import the certificate into keystore" unifi version 5.10.20 installed on Windows server 2016. Tried everything. Using Godaddy Cert. Any suggestions? @willeHowe
Did you move it to Program Files for a reason?
I have my wildcard cert. But not from Comodo do i still use those comodo files?
I downloaded the comodo certs from comodo but they won't work. "Unable to import the certificate into the keystore" idk if cert problem or something else
With the ability to run Linux stuff on Windows by enabling the dev option, I wonder if it's possible to run the Linux controller on Windows and if it would be more stable than the native Windows version?
Where can i get those comodo files
I could not start the controller in the new location , could not find a file was the error, so restored it in users directory and it worked again.
Thanks, worked perfectly!
So helpful!!! Saved me lots of time and agony.
Willie will this work with Unifi Video?
Great video, can you please email the files and the file with the command you ran.
Thank you in advance
I have install controller on windows local machine. Is SSL work on local IP
Does anybody have a Solution for using Subject Alternative Names? It would be very nice because its only for internal use with a Cert from AD CS
Thanks, Willie - followed your steps and get an error "Unable to import certificate into keystore" - any idea whereto start troubleshooting that?
I am having the same issue on mine
Got mine working. Had to make a new keystore and get my cert reissued following these steps...
I recently had similar problems with replacing the self-signed SSL cert included with the Unifi software, but I was able to overcome them. This is the exact solution I used, and it worked for me. There were several clues on this thread that lead me to the solution. I am not trying to take credit for anyone elses work above, they just were complete enough for me in my situation so I thought others may be in the same boat.
***BACKUP YOUR UNIFI INSTALL BEFORE PROCEEDING***
1. I'm running the controller on a Windows VM
2. I tried using the process defined in the Wiki to generate the CSR and import the CRT (and chain). Everything ran without error, so I restarted the controller software...leaving me unable to access the UI anymore at all.
3. I restored the %UNIFI_BASE%\data\keystore file from an earlier backup, restarted the controller software, and then the UI came back up with the old self-signed cert.
4. SOLUTION STARTS HERE
5. Download "Keystore Explorer" (like someone else here recommended).
6. Download "DigiCertUtil".
7. Run the DigiCert Util first, create a CSR and save it.
8. Use the CSR just created to go buy a legit cert.
9. Import your new cert into the DigiCert Util.
10. Export the cert, including the private key, using the "key file (Apache compatible format)" option.
11. Open up Keystore Explorer, and open up the "%UNIFI_BASE%\data\keystore" file. Use "aircontrolenterprise" as the password.
12. From the "Tools" menu, choose "Import Key Pair". The default option of PKCS #12 should be fine. OPEN SSL
13. Use "aircontrolenterprise" as the Decryption Password, and browse to the location of the file you created in Step 10.
14. When Prompted for a "New Key Pair Alias", change it to simply "unifi" and click OK.
15. You will be prompted to overwrite the existing alias. Go ahead and click "Yes".
16. From the File menu, choose Save.
17. Close Keystore Explorer
18. Restart the Unifi software
19. You should be all set now.
@@robertkoss1952 This saved me! Had to do some additions but it's running now with a 2 year certificate.
@@robertkoss1952 Thank you very much for these instructions. EXTREMELY helpful. I used the Open SSL option in step 12 and unchecked the "Encrypted private key" check box option to get it to import. Much appreciated!!
@@robertkoss1952 Does not work. At Step 13, it states "Could not load the PKCS #12 file" with details of "Could not load KeyStore as type 'PKCS12'
Selecting Open SSL as someone else suggested requires you to pick a key and a cert. I picked my crt file doing it this way as the cert but the certificate is invalid and browser states NET::ERR_CERT_AUTHORITY_INVALID
Excelent! can you please send me those files?
Everything worked 100% no errors, the site still not loading with the SSL. Still using the self-signed cert from Unifi..any thoughts??
Have to write protect the file after you edit the keystore or it will overwrite with the default.
Any reason you are running the controller under Windows instead of a Linux distro?
I run It on windows too because It makes more sense since its an App Server
I have a hosted Windows VM (that I don't pay for due to credits) and I have mine hosted on it. No spare Linux hosts unless I pay for one and I don't want it bundled up with something else...
For anyone getting 'Unable to import the certificate into keystore', it's because the certificates you're importing (that were provided from the CA) aren't in .DER format and java doesn't like it. The easiest way to resolve in Windows, is double click each .CRT file (from the ZIP you got) to import into Windows certificates console. Then, run mmc.exe, add Certificates snap-in, computer account, local computer, then browse to each of the certificates that you imported (open the cert to match the name if you need to confirm). The main cert will be under Personal \ Certificates, the others under trusted root or intermediate cert authorities nodes. For each certificate, right click, All Tasks and Export as a DER encoded binary file (I simply did each of mine as a.cer, b.cer, c.cer and so on) then go back to cmd prompt and run the same java command again to import the (exported) a.cer, b.cer c.cer etc DER encoded files.
@@WillieHowe No. As I checked all that.
Well thanks that got me closer. I had the certs in my Windows 10 computer, exported the wildcard cert and the three GoDaddy certs as .DER files and the import was successful. Unfortunately once I restarted the unifi controller it kept giving me an invalid response. I'm thinking that it does not support a wildcard cert. Once I rolled back the keystore, everything was back to what it was before, which was using the old certificate which has expired.
@Willie Howe - any suggestions?
having the same problem, "unable to import the certificate into keystore"
Followed this to a T, installed correctly and get ERR_SSL_PROTOCOL_ERROR in chrome, any ideas?
Es porque no as movido tu crt a la carpeta /data una vez movido hay debes reiniciar unifi servicio
I follow this tutorial on Windows 10, but get "Unable to import the certificate into keystore"
Thanks to you i can sleep tonight :D
Thanks for this!
"Unable to import the certificate into keystore"
Can you send me the certificate files?
Great video
and also those commands you copy and pasted.
Good stuff
Please can you send me comodfiles. like the video i have been sent a bundle please
this video doesn't work .
Hi, could you please send me the "comodofiles" to my email ? Great videos. Thanks in advance.
@@WillieHowe Hi whats your email address? I want to request these Comodo files please
péssimo vídeo ! migrou algo que nem precisava !
ERROR! missing cert file for [USERTrust RSA Certification Authority]
"Unable to import the certificate into keystore"