This tutorial explains how to generate a CSR (Certificate Signing Request) on a Ubiquiti UniFi Cloud Key. The Cloud Key does not have a built-in CSR generator in its web interface, so you will create the CSR over SSH using OpenSSL. These steps apply to Cloud Key Gen1 and Gen2/Gen2+, as well as self-hosted UniFi Network Application installations running on Linux.
Generate a CSR on UniFi Cloud Key
If you have already generated your CSR, skip ahead to the UniFi Cloud Key SSL installation instructions.
You can also use our CSR Generator to create the CSR automatically rather than running OpenSSL commands on the device.
Requirements
- SSH access to your Cloud Key (enable SSH in the UniFi OS settings, or connect directly via the device’s IP on port 22).
- Basic familiarity with terminal commands.
- OpenSSL installed (pre-installed on Cloud Key firmware).
Step 1: Connect to the Cloud Key via SSH
Open a terminal (or PuTTY on Windows) and connect to your Cloud Key:
ssh [email protected]
Replace 192.168.1.x with your Cloud Key’s IP address. On UniFi OS devices (Gen2/Gen2+), log in with the credentials you set during initial setup.
Step 2: Back up existing certificate files (optional but recommended)
Before generating new files, create a backup of your current certificate directory:
cp -r /etc/ssl/private ~/cloudkey-cert-backup
This preserves your existing key and certificate so you can restore them if needed. You do not need to delete the old files; the new CSR and key are generated alongside them.
Step 3: Generate the CSR and private key
Run the following OpenSSL command to create a 2048-bit RSA private key and CSR in a single step. Replace every placeholder value with your own information:
openssl req -new -newkey rsa:2048 -nodes -sha256 \
-subj "/C=US/ST=California/L=San Jose/O=Your Company LLC/CN=unifi.yourdomain.com" \
-addext "subjectAltName=DNS:unifi.yourdomain.com" \
-keyout /etc/ssl/private/cloudkey.key \
-out /etc/ssl/private/cloudkey.csr
Note: The -addext flag requires OpenSSL 1.1.1 or later (shipped on Cloud Key Gen2/Gen2+ and on Gen1 devices running firmware 1.1.6+). If your device has an older OpenSSL version, you can omit -addext and add the SAN through an OpenSSL configuration file instead, or use the CSR Generator. On OpenSSL 3.x you may use -noenc instead of -nodes; both produce an unencrypted private key.
CSR field reference
Each field in the -subj string maps to a certificate attribute. Fill them in as follows:
- C: two-letter country code (ISO 3166), for example US.
- ST: state or province (full name, not abbreviated).
- L: city or locality.
- O: your organization’s legal name. For Domain Validation (DV) certificates this field is optional.
- CN: the fully qualified domain name (FQDN) you will use to access the Cloud Key controller, for example unifi.yourdomain.com.
The -addext "subjectAltName=..." line sets the Subject Alternative Name (SAN) field. Modern browsers require the hostname to appear in the SAN, not only in the CN. If you need to cover more than one hostname, separate them with commas:
-addext "subjectAltName=DNS:unifi.yourdomain.com,DNS:cloudkey.yourdomain.com"
Step 4: Verify the CSR
Before submitting the CSR, confirm that the subject details and SAN are correct:
openssl req -in /etc/ssl/private/cloudkey.csr -noout -text | head -25
Look for the Subject: line (should match your -subj values) and the X509v3 Subject Alternative Name section (should list your FQDN). You can also paste the CSR contents into the SSL Dragon CSR Decoder for a visual check.
Step 5: Submit the CSR to your Certificate Authority
Open the CSR file in a text editor or print it to the terminal:
cat /etc/ssl/private/cloudkey.csr
Copy the entire output, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines. Paste it into the CSR field during the SSL certificate order process with your CA.
Keep the private key file (/etc/ssl/private/cloudkey.key) on the Cloud Key. You will need it later when you install the SSL certificate into the UniFi keystore.
Step 6: Secure the private key
Restrict the key file so only root can read it:
chmod 600 /etc/ssl/private/cloudkey.key
Never share or transfer the private key over an unencrypted channel. If you suspect it has been compromised, generate a new CSR and reissue the certificate.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


