Encrypting Ubiquiti NVR Part:2

We previously covered how to install custom certificates in the unifi video system and unifi controller. Well after unifi-video version 3.8 there was a new way of installing custom ssl certs. Using the old method broke video streaming.

How to add a custom SSL certificate to Ubiquiti Video System (Ubuntu)
REVISION: 01
DATE: 01/03/2019

AUTHOR: AANDERSON

(You must already have your certificate and key files. This doc does not cover those steps. This is just for cert/key installation)

WHY: IF YOU ARE INSTALLING A CUSTOM CERTIFICATE ON UNIFI VIDEO 3.8.1 or later FOR THE FIRST TIME (OR ARE REINSTALLING A CUSTOM CERT)
URL: https://community.ubnt.com/t5/UniFi-Video/Custom-SSL-Certificates-in-3-8-1-and-beyond/td-p/2089043

0. WORKING DIRECTORIES /usr/lib/unifi-video & /usr/lib/unifi-video/data (/usr/lib/unifi-video/data -> /var/lib/unifi-video)
0. INITIAL CERT DIRECTORY /etc/ssl/private/unifi-video (Upload your .crt & .key files here)

####################################################################################
1. Stop the unifi-video service
# service unifi-video stop

2. Backup & Remove the keystore/truststore files from the ufv working directory (/usr/lib/unifi-video on Linux)
# mkdir /usr/lib/unifi-video/data/OEM-BACKUP
# cp /var/lib/unifi/data/keystore /usr/lib/unifi-video/data/OEM-BACKUP/keystore
# cp /var/lib/unifi/data/ufv-truststore /usr/lib/unifi-video/data/OEM-BACKUP/ufv-truststore
# mkdir /usr/lib/unifi-video/conf/OEM-BACKUP
# cp /usr/lib/unifi-video/conf/evostream/server.* /usr/lib/unifi-video/conf/OEM-BACKUP/

3. Convert your PEM .crt and .key files to der format
# cd /etc/ssl/private/unifi-video/
# openssl x509 -in DOMAIN.crt -inform PEM -out DOMAIN.crt.der -outform DER
# openssl pkcs8 -topk8 -inform PEM -outform DER -in DOMAIN.key -out DOMAIN.key.der -nocrypt

4. Copy your key and cert files into certificates folder under the UniFi Video working directory:
# mkdir /usr/lib/unifi-video/data/certificates
# cp DOMAIN.crt.der /usr/lib/unifi-video/data/certificates/ufv-server.cert.der (X509 DER-encoded cert file)
# cp DOMAIN.key.der /usr/lib/unifi-video/data/certificates/ufv-server.key.der (RSA PKCS8 DER-encoded private key file)

5. Linux only: Change the permissions for the newly created folder and files within:
# chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates

6. Adjust system.properties to add this line to the end: ufv.custom.certs.enable=true
# nano /usr/lib/unifi-video/data/system.properties

7. Start the unifi-video service
# service unifi-video start

INFO: When the controller detects the ufv.custom.certs.enable flag is set and the cert/key files are present it will load these in a new web application keystore instead of generating its own. The cert/key files in the certificates folder are removed, once imported in the key store.
The unifi-video controller will now use your provided certificate and key for the web application

TROUBLESHOOTING: Review the server log file at /var/log/unifi-video/server.log
If you botched the cert you will see something about wrong format. Pay attention to step 3! Its critical