Adding a custom HTTPS certificate to Unifi (Ubiquiti Controller)

Way that actually works

Copy over the .p12 private key (doesn't need to be a legacy PKCS12 cert, at least from what I've tried) and certificate chain.

Export the private key to a PEM file `openssl pkcs12 -in [inputKey.p12] -nocerts -out [privateKey.pem]
You must set a temporary password for the output file otherwise openssl will not export it

Then remove this temporary password openssl rsa -in [privateKey.pem] -out [privateKey.pem]

Create the certificate chain by cating the certificates together. (You may need to manually edit this file to have 5 dashes (-) instead of 4 on the END CERTIFICATE line if you have Java 7 which is likely due to Unifi, also make sure that the certs have the standard new-line formatting and aren't just all on one line like keytool wanted, and also ensure that the BEGIN CERTIFICATE and END CERTIFICATE of each cert are correctly on new lines).

Import this private key and certificate chain into the keystore with ace.jar: java -jar lib/ace.jar import_key_cert [privateKey.pem] [certChain.crt]

Restart unifi

Old way (which didn't work)

Export a PKCS12 Legacy certificate with no export password

import into the existing keychain:
(in /usr/lib/unifi)
keytool -importkeystore -srckeystore ubiquiti-controller.uni.p12 -srcstorepass "" -storepass "aircontrolenterprise" -srcstoretype pkcs12 -srcalias 1 -destkeystore data/keystore -deststoretype jks -deststorepass aircontrolenterprise -destalias unifi

add intermediate cert (and you can also add root CA if you want to, but shouldn't be required)
java -jar lib/ace.jar import_cert

Check whether it all got inserted:
keytool -list -v -keystore data/keystore -storepass "aircontrolenterprise"

You should have a private key under Alias name: unifi, and then later on some extra certificates you added

Restart unifi

It seems even if you get it right, unifi can just decide it didn't like the key and re-generate the keystore in pkcs12 format, which keytool can't open!

Additional notes

You can't seem to migrate to a PKCS12 keystore as the java version that ubiquiti controller wants really doesn't like it. To see any issues that arrise, look at the /usr/lib/unifi/logs/server.log file.

The private key must have the alias unifi.

If you get a /usr/lib/unifi/data/keystore (Permission denied) you've probably got the wrong permissions / owner on the file from where you edited it. It should be owned by unifi:unifi with permissions -rw-r-----.