Skip to content

Instantly share code, notes, and snippets.

@axelquack

axelquack/generateAndInstallSslCertificatesForUnifiUdmProWithLocalCa.md

Last active April 5, 2025 07:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save axelquack/f67b2625714483683a56854481de9eba to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save axelquack/f67b2625714483683a56854481de9eba to your computer and use it in GitHub Desktop.
Download ZIP
Generate and Install SSL Certificates for UniFi UDM Pro with Local CA
Raw
generateAndInstallSslCertificatesForUnifiUdmProWithLocalCa.md

Generate and Install SSL Certificates for UniFi UDM Pro with Local CA

Network Setup

  • Gateway: Dream Machine Pro (Unifi) * IP: 10.0.0.1 (fixed) * DNS Entry: gateway.example.net
  • Network Name: example.net * Subnet: 10.0.0.0/24 (configured under Settings > Networks)
  • Client Machine (example): Named "client1" * DNS Entry: client1.example.net * IP: 10.0.0.100 (fixed) * Runs Docker containers serving HTTPS (e.g., https://client1.example.net:1080)
  • DNS Configuration: Added under Settings > Routing > DNS for gateway.example.net and client1.example.net.
  • Current Issue: SSL certificates for https://gateway.example.net and https://client1.example.net:1080 are marked as 'unsafe' in Brave (on Linux, macOS, and mobile).
  • Certificate Creation Machine: Linux with Bluefin, an immutable operating system with pre-installed CLI tools and support for Homebrew and Flatpaks.
  • Editing Tool: Vim.
  • Dream Machine Pro Feature: Supports certificate uploads via Settings > Control Plane > Console > Certificates.

Understanding the Issue

HTTPS access without 'unsafe' warnings is needed across all local machines (e.g., gateway.example.net, client1.example.net).

Understanding the Goal

Creating a certificate with:

  • Common Name (CN): gateway.example.net (to satisfy the UDM Pro’s requirement).
  • Subject Alternative Name (SAN):
    • gateway.example.net (included for completeness),
    • *.example.net (wildcard for all subdomains),
    • example.net (the base domain).

This ensures the certificate is valid for the UDM Pro and versatile enough for other uses in the network.

Step-by-Step Tutorial

Step 1: Prerequisites

OpenSSL is used to generate certificates and is pre-installed on Bluefin. To confirm, run:

openssl version

If not available, install OpenSSL using Homebrew (brew install openssl) or run it in a container.

Step 2: Setting Up a Working Directory

Create a directory to store all certificate-related files:

mkdir ~/ca
cd ~/ca

Step 3: Set Up a Local Certificate Authority (CA)

To issue trusted certificates for the UDM Pro (e.g., gateway.example.net), a local CA needs to be created. This CA will sign the server certificate, and its certificate will be imported into Brave to establish trust.

Step 3.1: Creating the CA Private Key

  • Purpose: This private key will be used to sign certificates issued by the CA.
  • Command:
openssl genrsa -out ca.key 2048
  • This generates a 2048-bit RSA private key and saves it as ca.key.
  • Note: This file must be kept secure. It is critical for the CA’s security.

Step 3.2: Creating the CA Certificate

  • Purpose: This certificate acts as the root of trust for all certificates signed by the CA.
  • Command:
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/CN=Local CA"
  • This creates a self-signed CA certificate (ca.crt), valid for 10 years (3650 days).
  • The Common Name (CN) is set to Local CA (customize as needed).
  • -x509: Indicates this is a self-signed certificate.
  • -nodes: Ensures the private key isn’t encrypted, simplifying the process.

Result: ca.key (the CA’s private key) and ca.crt (the CA’s certificate) are now available.

Step 4: Creating a Server Certificate for UDM Pro

Next, a certificate for the UDM Pro needs to be created and signed by the previously created CA. This certificate will be used for gateway.example.net.

4.1: Creating a Configuration File

  • Purpose: This file specifies the certificate details, including the hostname and additional names (SANs).
  • Action: Create a file named gateway_cert.conf with the following content:
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[dn]
CN = gateway.example.net

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = gateway.example.net
DNS.2 = *.example.net
DNS.3 = example.net

Explanation:

  • CN = gateway.example.net: Matches the UDM Pro’s hostname.
  • SANs (subjectAltName): Includes gateway.example.net, *.example.net, and example.net for flexibility.

4.2: Generating a Server Private Key and CSR

Command:

openssl req -new -newkey rsa:2048 -nodes -keyout gateway.key -out gateway.csr -config gateway_cert.conf
  • This generates:
    • gateway.key: The private key for the server.
    • gateway.csr: The Certificate Signing Request (CSR) based on gateway_cert.conf.
  • -nodes: Keeps the private key unencrypted for simplicity.

4.3: Signing the CSR with the Generated CA

Command:

openssl x509 -req -in gateway.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out gateway.crt -days 365 -sha256 -extfile gateway_cert.conf -extensions req_ext
  • This signs the CSR using the CA certificate (ca.crt) and key (ca.key).
  • Outputs gateway.crt, the server certificate, valid for 1 year (365 days).
  • The -extfile and -extensions options ensure the SANs from gateway_cert.conf are included.

Result: gateway.key (server private key) and gateway.crt (server certificate) are now available.

Step 5: Uploading the Server Certificate to UDM Pro

Install the server certificate on the UDM Pro.

  1. Log into the UDM Pro web interface.
  2. Navigate to Settings > Control Plane > Console > Certificates.
  3. Click Add New.
  4. Fill in the fields:
    • Name: gateway.example.net
    • Certificate: Upload gateway.crt
    • Private Key: Upload gateway.key
  5. Save the changes.

The UDM Pro should accept this certificate because the Common Name (CN) matches its hostname.

Step 6: Importing the CA Certificate into Brave

To eliminate certificate warnings in Brave, the CA certificate (ca.crt)—not the server certificate (gateway.crt)—is imported into Brave’s trusted certificate store.

6.1: Accessing Brave’s Certificate Settings

  • Open Brave and go to brave://settings/certificates.
  • Switch to the Authorities tab (may appear as "Zertifizierungsstellen" if the browser is set to German).

6.2: Importing the CA Certificate

  • Click Import (or "Importieren").
  • Select ca.crt from the filesystem.
  • When prompted, check the box to trust this CA for identifying websites.

6.3: Verifying the Setup

  • Visit: https://gateway.example.net in Brave.
  • If everything is set up correctly, there should be no certificate warnings.

Summary of Files Generated

  • CA Files:
    • ca.key: CA private key (needs to be kept secure).
    • ca.crt: CA certificate (import into Brave and other devices).
  • Server Certificate Files:
    • gateway.key: Server private key (uploaded to UDM Pro).
    • gateway.csr: CSR (used during signing, can be deleted afterward).
    • gateway.crt: Server certificate (uploaded to UDM Pro).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment