Installing an Internal Root & Intermediate Certificate Authority on a UniFi UDM-SE
⚠️ Disclaimer: This guide is based on a real-world lab + production-adjacent setup. UniFi does not officially support full custom PKI integration on UDM devices, so proceed carefully and test in a non-critical environment first.
This is how to install and trust an internal Root CA and Intermediate CA on a UniFi Dream Machine SE (UDM-SE). Yes, I did this. I do not talk about anything on this site that I have not tested and used myself.
Why do this?
If you're running your own PKI (which you should if you're serious about infrastructure security), this allows you to:
- Eliminate browser/security warnings for internal services
- Secure internal HTTPS endpoints (UniFi, PBX, apps, etc.)
- Enable TLS inspection / validation in enterprise environments
- Build toward Zero Trust architecture
Architecture
Your PKI should look like this:
Root CA (offline)
↓
Intermediate CA (online)
↓
Issued Certificates (servers, services, devices)
The goal is to make the UDM-SE trust your Root + Intermediate chain.
Prerequisites
- Root CA certificate
- Intermediate CA certificate
- SSH access to UDM-SE
- Root access (
rootuser) - Basic Linux knowledge
Step 1 — SSH into the UDM-SE
Enable SSH in UniFi OS:
Settings → Control Plane → Console → Enable SSH
Then connect:
ssh root@<UDM-IP>
Step 2 — Locate the System CA Store
On UniFi OS (Debian-based), the trusted certificates live in:
/usr/local/share/ca-certificates/
This is where custom certificates should be placed.
Step 3 — Upload Your Certificates
From your local machine:
scp rootCA.crt root@<UDM-IP>:/usr/local/share/ca-certificates/
scp intermediateCA.crt root@<UDM-IP>:/usr/local/share/ca-certificates/
Make sure they are in .crt format (PEM encoded).
Step 4 — Update the Certificate Store
Run:
update-ca-certificates
Expected output:
Updating certificates in /etc/ssl/certs...
2 added, 0 removed; done.
This step:
- Registers your CA
- Creates symlinks in
/etc/ssl/certs
Step 5 — Verify Installation
Check that your certs are recognized:
ls /etc/ssl/certs | grep -i your_ca_name
Optional deeper verification:
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt your_cert.pem
Step 6 — Restart Services (Important)
UniFi services may cache certificates.
Restart UniFi OS services:
systemctl restart unifi
Or reboot if needed:
reboot
I was sucessfuly just restarting unifi with the former command.
Step 7 — Validate in Browser
- Access your UDM or internal service via HTTPS
- Confirm:
- No certificate warnings
- Full chain is trusted
Important Gotchas
1. Persistence Issues
UDM updates can overwrite system files.
Solution:
- Keep a backup script
- Reapply after firmware updates
Example:
#!/bin/bash
cp /mnt/data/certs/*.crt /usr/local/share/ca-certificates/
update-ca-certificates
2. Intermediate Must Be Included
If you only install the Root CA: Chain will fail
Always include:
- Root CA
- Intermediate CA
3. PEM Format Only
Convert if needed:
openssl x509 -in cert.cer -out cert.crt -outform PEM
4. UniFi UI vs OS Trust
Important distinction:
- This method updates OS-level trust
- Some UniFi apps may still use their own trust stores
Security Considerations
- Keep Root CA offline
- Protect Intermediate private key
- Use short-lived certificates where possible
- Monitor for unauthorized certificate issuance
When to Use This
This setup is ideal if you are:
- Running internal services (PBX, dashboards, APIs)
- Building a Zero Trust environment
- Managing multiple UniFi sites with internal PKI
Closing Thoughts
UniFi doesn’t make custom PKI integration obvious—but it does work.
Once configured, this becomes a foundational piece of a secure, scalable infrastructure.
If you're building anything beyond a home lab, this is not optional—it's required.
Next Steps [Generally]
- Automate certificate deployment across devices
- Integrate with ACME (Step CA, HashiCorp Vault, etc.)
- Expand trust to endpoints (Windows, macOS, mobile)