thimslugga · October 27, 2025 12:57
diff --git a/unifi-ssl.sh b/unifi-ssl.sh
 #!/bin/bash

 # Define variables for the certificate
 COUNTRY="US"
 STATE="NY"
 CITY="New York"
 ORGANIZATION=""  # If there is no organization, just keep this empty
 COMMON_NAME="192.168.1.1"  # Common Name - usually the IP or domain name
 IP_ADDRESS="192.168.1.1"  # Used in subjectAltName

 # Define the directory where we'll be working and the final destination directory
 WORKDIR="/tmp/ssl-workdir"
 DESTDIR="/ssd1/.data/unifi-core/config"

 # Create a working directory
 mkdir -p "$WORKDIR"

 # Navigate to the working directory
 pushd "$WORKDIR"

 # Generate ssl-extensions-x509.cnf file with variable for IP
 cat > ssl-extensions-x509.cnf <<EOF
 [v3_ca]
 basicConstraints = CA:FALSE
 keyUsage = digitalSignature, keyEncipherment
 subjectAltName = IP:$IP_ADDRESS
 EOF

 # Generate a private key
 openssl genrsa -out key.pem 2048

 # Generate a CSR with variables replacing the specifics of each install
 openssl req -new -sha256 -key key.pem -out csr.csr -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=$COMMON_NAME"

 # Generate x509 certificate
 openssl x509 -req -days 365 -in csr.csr -extfile ssl-extensions-x509.cnf -extensions v3_ca -signkey key.pem -out unifi-core.crt

 # Extract key from key.pem file
 openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in key.pem -out unifi-core.key

 # Rename existing files (if they exist)
 mv "$DESTDIR/unifi-core.key" "$DESTDIR/unifi-core.key.bak" 2>/dev/null
 mv "$DESTDIR/unifi-core.crt" "$DESTDIR/unifi-core.crt.bak" 2>/dev/null

 # Copy everything to the destination directory
 cp unifi-core.crt "$DESTDIR/"
 cp unifi-core.key "$DESTDIR/"
 cp unifi-core.crt "/root/unifi-core.crt"  # this seems to be an additional step, copying the certificate to the /root directory

 # Navigate out of the working directory
 popd

 # Remove the working directory
 rm -rf "$WORKDIR"

 # Provide instructions for next steps
 echo "Manual step required: Install the .crt file on your client device into Trusted Root Certification Authorities > Certificates"

 # Restart the service
 systemctl restart unifi-core

 echo "Process completed."
	#!/bin/bash

	# Define variables for the certificate
	COUNTRY="US"
	STATE="NY"
	CITY="New York"
	ORGANIZATION="" # If there is no organization, just keep this empty
	COMMON_NAME="192.168.1.1" # Common Name - usually the IP or domain name
	IP_ADDRESS="192.168.1.1" # Used in subjectAltName

	# Define the directory where we'll be working and the final destination directory
	WORKDIR="/tmp/ssl-workdir"
	DESTDIR="/ssd1/.data/unifi-core/config"

	# Create a working directory
	mkdir -p "$WORKDIR"

	# Navigate to the working directory
	pushd "$WORKDIR"

	# Generate ssl-extensions-x509.cnf file with variable for IP
	cat > ssl-extensions-x509.cnf <<EOF
	[v3_ca]
	basicConstraints = CA:FALSE
	keyUsage = digitalSignature, keyEncipherment
	subjectAltName = IP:$IP_ADDRESS
	EOF

	# Generate a private key
	openssl genrsa -out key.pem 2048

	# Generate a CSR with variables replacing the specifics of each install
	openssl req -new -sha256 -key key.pem -out csr.csr -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=$COMMON_NAME"

	# Generate x509 certificate
	openssl x509 -req -days 365 -in csr.csr -extfile ssl-extensions-x509.cnf -extensions v3_ca -signkey key.pem -out unifi-core.crt

	# Extract key from key.pem file
	openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in key.pem -out unifi-core.key

	# Rename existing files (if they exist)
	mv "$DESTDIR/unifi-core.key" "$DESTDIR/unifi-core.key.bak" 2>/dev/null
	mv "$DESTDIR/unifi-core.crt" "$DESTDIR/unifi-core.crt.bak" 2>/dev/null

	# Copy everything to the destination directory
	cp unifi-core.crt "$DESTDIR/"
	cp unifi-core.key "$DESTDIR/"
	cp unifi-core.crt "/root/unifi-core.crt" # this seems to be an additional step, copying the certificate to the /root directory

	# Navigate out of the working directory
	popd

	# Remove the working directory
	rm -rf "$WORKDIR"

	# Provide instructions for next steps
	echo "Manual step required: Install the .crt file on your client device into Trusted Root Certification Authorities > Certificates"

	# Restart the service
	systemctl restart unifi-core

	echo "Process completed."