This article is written by Server Management Inc. IT systems administrator Timo Puistaja - 20.12.2016, Tartu, Estonia.
Ubuiquiti Unifi is a set of enterperise Wireless solutions, including AccessPoints - Edu, LongRange, Lite and Pro versions.
For management purposes there are several solutions - downloadable Controller (Windows/Linux/Mac); CloudKey - device/pc/server that acts as Controller and has its own Management interface.
Unifi devices are ment to use when buildin big corporate networks with multiple sites. In this tutorial we are going to show some basic steps to prepare yourself for centralized Wifi management for multiple sites over EU or the world.
Unifi devices support L2 (LAN) and L3 (WAN) management/adoption.
In this article we are prepearing our CloudKey to manage AP´s from different countries all over EU. Our goal is to have proper domain name unifi.mydomain.com with proper wildcard SSL certificate and access/management of Wifi.
Before continuing lets make sure we understand the product names:
Unifi Controller - webpage/service to manage all the Wifi AP´s and sites centralized to one place. It is possible to install Controller software to Linux/Windows and Mac systems OR buy a CloudKey that has Controller preinstalled and ready to use.
Unifi CloudKey - a device/pc/server that has Unifi Controller already working inside it. CK also has Management Interface to manage CloudKey itself - firmware updates, static ip; controller update etc.
CloudKey can be powered via MicroUSB (minimun 2A) or PoE
Just add power and connect CK to your LAN via ethernet cable.
Check from DHCP server which IP it got and type the IP in your web browser - you are ready to make your initial setup!
Set static IP to your CK either from DHCP server of from CK Management interface.
Now you are ready to manage/adopt your AP´s in local network - thats L2 adoption (only devices in your local subnet can be managed)
To access your Controller from public networks or make L3 adoption you need to know the basics of port forwarding (firewalls) and domain name systems.
Prerequisites for WAN access to controller using domain name:
By default, the UniFi Controller will operate on the following ports:
Here is a little picture to show you how port forwarding with CloudKey should work:
Unifi downloadable Controller and CloudKey come with self-signed certificates installed on them. We want to have our trusted SSL certificate on Controller. When accessing your controller unifi.mydomain.com web browsers let you know that the certificate is not trusted and may harm you. We have Wildcard SSL certificate from Comodo - so we need to install them to Cloudkey to get secured and nice green HTTPS://unifi.mydomain.com address in our browsers.
If you want to use Free Let´s Encrypt certificate - this is the tutorial for you!
We have ordered wildcard (*.mydomain.com) SSL certificate from Comodo and got these files:
So we have signed .crt and .key that we are going to use.
Wildcard certificates work the same way as a regular SSL Certificate, allowing you to secure the connection between your website and your customer's Internet browser – with one major advantage. A single Wildcard SSL Certificate covers any and all of the sub-domains of your main domain.
PS! Unifi Controller uses Java keytool to manage certificates - Java Keytool Essentials: Working with Java Keystores
Certificates are located in the CloudKey folder /etc/ssl/private
Those files won't be touched during firmware upgrade, but they will be removed if you reset the UniFi Cloudkey back to factory default.
Now your unifi.keystore.jks file is modified with your own certificates and ready to be uploaded to CK.
Rename all the files needed for CloudKey and regenerate cert.tar. In my case:
Generate new cert.tar
If it works now you have your singed and trusted SSL certificate and web page HTTPS:// is nice solid green. Browsers trust your webpage = profit.