October 24, 2021 15:16
Create your new CA
openssl genrsa -out ca.key 2048 # Generate new private key
openssl req -new -days 3650 -x509 -key ca.key -out ca.crt # Generate new public certificate
When anyone choose to trust you, he has to import the public CA certificate (you should host it publicly accessible) - it is valid for 10 years, so no stress here!
Install on UniFi Controller
Request the CSR (on controller)
java -jar lib/ace.jar new_cert <hostname> <company> <city> <state> <country>
Sign the CSR
openssl x509 -req -in unifi_certificate.csr.pem -CA ca.crt -CAkey ca.key -CAcreateserial -out controller.crt
MAKE SURE TO REMOVE ALL LINE BREAKS ON THE CERTIFICATES OF THE CA/CONTROLLER NOW! Otherwise the import will just not work, because… Idk.
Reimport new CRT (on controller)
java -jar lib/ace.jar import_cert data/controller.crt data/ca.crt
Install on UniFi Gateway: FreeRadius
…needed for WPA2-Enterprise functionality!
Generate new private key
openssl genrsa -out radius.key 2048
Generate a new CRT
openssl req -new -key radius.key -out radius.csr
openssl x509 -req -days 365 -in radius.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out radius.crt
Convert your CRT to a PEM
openssl x509 -in radius.crt -out radius.pem -outform PEM
openssl x509 -in ca.crt -out ca.pem -outform PEM
Push it to the gateway!
-> Upload new certs+key to the /tmp
dir. Then run
sudo bash
mv /tmp/radius.key /tmp/server.key
mv /tmp/radius.pem /tmp/server.pem
chmod -v 770 /tmp/ca.pem
chmod -v 770 /tmp/server.key
chmod -v 770 /tmp/server.pem
chown -v freerad: /tmp/ca.pem
chown -v freerad: /tmp/server.key
chown -v freerad: /tmp/server.pem
mv /tmp/ca.pem /etc/freeradius/certs/
mv /tmp/server.key /etc/freeradius/certs/
mv /tmp/server.pem /etc/freeradius/certs/
Finalize!
Restart FreeRadius to apply the new certificate:
service freeradius restart
Trust ROOT-CA on Ubuntu
sudo mkdir /usr/share/ca-certificates/extra
sudo cp ca.crt /usr/share/ca-certificates/extra/ca.crt
sudo update-ca-certificates