Way that actually works
Copy over the .p12 private key (doesn't need to be a legacy PKCS12 cert, at least from what I've tried) and certificate chain.
Export the private key to a PEM file `openssl pkcs12 -in [inputKey.p12] -nocerts -out [privateKey.pem]
You must set a temporary password for the output file otherwise openssl will not export it
Then remove this temporary password
openssl rsa -in [privateKey.pem] -out [privateKey.pem]
Create the certificate chain by
cating the certificates together. (You may need to manually edit this file to have 5 dashes (
-) instead of 4 on the END CERTIFICATE line if you have Java 7 which is likely due to Unifi, also make sure that the certs have the standard new-line formatting and aren't just all on one line like
keytool wanted, and also ensure that the BEGIN CERTIFICATE and END CERTIFICATE of each cert are correctly on new lines).
Import this private key and certificate chain into the keystore with
java -jar lib/ace.jar import_key_cert [privateKey.pem] [certChain.crt]
Old way (which didn't work)
Export a PKCS12 Legacy certificate with no export password
import into the existing keychain:
keytool -importkeystore -srckeystore ubiquiti-controller.uni.p12 -srcstorepass "" -storepass "aircontrolenterprise" -srcstoretype pkcs12 -srcalias 1 -destkeystore data/keystore -deststoretype jks -deststorepass aircontrolenterprise -destalias unifi
add intermediate cert (and you can also add root CA if you want to, but shouldn't be required)
java -jar lib/ace.jar import_cert
Check whether it all got inserted:
keytool -list -v -keystore data/keystore -storepass "aircontrolenterprise"
You should have a private key under
Alias name: unifi, and then later on some extra certificates you added
It seems even if you get it right, unifi can just decide it didn't like the key and re-generate the keystore in pkcs12 format, which keytool can't open!
You can't seem to migrate to a PKCS12 keystore as the java version that ubiquiti controller wants really doesn't like it. To see any issues that arrise, look at the
The private key must have the alias
If you get a
java.io.FileNotFoundException: /usr/lib/unifi/data/keystore (Permission denied) you've probably got the wrong permissions / owner on the file from where you edited it. It should be owned by
unifi:unifi with permissions