Assertion failed

Jul 31, 2019

Changing TLS certificate on an USG

The unifi USG ships with a default TLS certificate which should be good enough for most people, but if you need to replace it for some reason you can use the following steps to achieve it.

Create a new keypair and and store it as /config/auth/server.pem with both the private and public part stored in this file. If you want to create a self signed certificate you can use the following procedure.

sudo -i
cd /config/auth
openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt -days 3650
cat server.key server.crt > server.pem
chmod 400 server.pem

After installing the certificate we need to tell the web server to use it. Which can be done with the following commands.

set service gui cert-file /config/auth/server.pem

This configuration will only hold until the next time the USG is provisioned, add the following to config.gateway.json for it to be persistent. See this article for more information about how to use config.gateway.json.

    "service": {
        "gui": {
            "cert-file": "/config/auth/server.pem"