The unifi USG ships with a default TLS certificate which should be good enough for most people, but if you need to replace it for some reason you can use the following steps to achieve it.
Create a new keypair and and store it as
/config/auth/server.pem with both the private and public part stored in this file. If you want to create a self signed certificate you can use the following procedure.
openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt -days 3650
cat server.key server.crt > server.pem
chmod 400 server.pem
After installing the certificate we need to tell the web server to use it. Which can be done with the following commands.
set service gui cert-file /config/auth/server.pem
This configuration will only hold until the next time the USG is provisioned, add the following to
config.gateway.json for it to be persistent. See this article for more information about how to use