Changing TLS certificate on an USG
The unifi USG ships with a default TLS certificate which should be good enough for most people, but if you need to replace it for some reason you can use the following steps to achieve it.
Create a new keypair and and store it as /config/auth/server.pem with both the private and public part stored in this file. If you want to create a self signed certificate you can use the following procedure.
sudo -i
cd /config/auth
openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt -days 3650
cat server.key server.crt > server.pem
chmod 400 server.pem
exit
After installing the certificate we need to tell the web server to use it. Which can be done with the following commands.
configure
set service gui cert-file /config/auth/server.pem
commit
save
exit
This configuration will only hold until the next time the USG is provisioned, add the following to config.gateway.json for it to be persistent. See this article for more information about how to use config.gateway.json.
{
"service": {
"gui": {
"cert-file": "/config/auth/server.pem"
}
}
}