bg-tutorials

How to Generate a CSR on UniFi Cloud Key

This tutorial explains how to generate a CSR (Certificate Signing Request) on a Ubiquiti UniFi Cloud Key. The Cloud Key does not have a built-in CSR generator in its web interface, so you will create the CSR over SSH using OpenSSL. These steps apply to Cloud Key Gen1 and Gen2/Gen2+, as well as self-hosted UniFi Network Application installations running on Linux.

Generate a CSR on UniFi Cloud Key

If you have already generated your CSR, skip ahead to the UniFi Cloud Key SSL installation instructions.

You can also use our CSR Generator to create the CSR automatically rather than running OpenSSL commands on the device.

Requirements

  • SSH access to your Cloud Key (enable SSH in the UniFi OS settings, or connect directly via the device’s IP on port 22).
  • Basic familiarity with terminal commands.
  • OpenSSL installed (pre-installed on Cloud Key firmware).

Step 1: Connect to the Cloud Key via SSH

Open a terminal (or PuTTY on Windows) and connect to your Cloud Key:

ssh [email protected]

Replace 192.168.1.x with your Cloud Key’s IP address. On UniFi OS devices (Gen2/Gen2+), log in with the credentials you set during initial setup.

Step 2: Back up existing certificate files (optional but recommended)

Before generating new files, create a backup of your current certificate directory:

cp -r /etc/ssl/private ~/cloudkey-cert-backup

This preserves your existing key and certificate so you can restore them if needed. You do not need to delete the old files; the new CSR and key are generated alongside them.

Step 3: Generate the CSR and private key

Run the following OpenSSL command to create a 2048-bit RSA private key and CSR in a single step. Replace every placeholder value with your own information:

openssl req -new -newkey rsa:2048 -nodes -sha256 \
  -subj "/C=US/ST=California/L=San Jose/O=Your Company LLC/CN=unifi.yourdomain.com" \
  -addext "subjectAltName=DNS:unifi.yourdomain.com" \
  -keyout /etc/ssl/private/cloudkey.key \
  -out /etc/ssl/private/cloudkey.csr

Note: The -addext flag requires OpenSSL 1.1.1 or later (shipped on Cloud Key Gen2/Gen2+ and on Gen1 devices running firmware 1.1.6+). If your device has an older OpenSSL version, you can omit -addext and add the SAN through an OpenSSL configuration file instead, or use the CSR Generator. On OpenSSL 3.x you may use -noenc instead of -nodes; both produce an unencrypted private key.

CSR field reference

Each field in the -subj string maps to a certificate attribute. Fill them in as follows:

  • C: two-letter country code (ISO 3166), for example US.
  • ST: state or province (full name, not abbreviated).
  • L: city or locality.
  • O: your organization’s legal name. For Domain Validation (DV) certificates this field is optional.
  • CN: the fully qualified domain name (FQDN) you will use to access the Cloud Key controller, for example unifi.yourdomain.com.

The -addext "subjectAltName=..." line sets the Subject Alternative Name (SAN) field. Modern browsers require the hostname to appear in the SAN, not only in the CN. If you need to cover more than one hostname, separate them with commas:

-addext "subjectAltName=DNS:unifi.yourdomain.com,DNS:cloudkey.yourdomain.com"

Step 4: Verify the CSR

Before submitting the CSR, confirm that the subject details and SAN are correct:

openssl req -in /etc/ssl/private/cloudkey.csr -noout -text | head -25

Look for the Subject: line (should match your -subj values) and the X509v3 Subject Alternative Name section (should list your FQDN). You can also paste the CSR contents into the SSL Dragon CSR Decoder for a visual check.

Step 5: Submit the CSR to your Certificate Authority

Open the CSR file in a text editor or print it to the terminal:

cat /etc/ssl/private/cloudkey.csr

Copy the entire output, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines. Paste it into the CSR field during the SSL certificate order process with your CA.

Keep the private key file (/etc/ssl/private/cloudkey.key) on the Cloud Key. You will need it later when you install the SSL certificate into the UniFi keystore.

Step 6: Secure the private key

Restrict the key file so only root can read it:

chmod 600 /etc/ssl/private/cloudkey.key

Never share or transfer the private key over an unencrypted channel. If you suspect it has been compromised, generate a new CSR and reissue the certificate.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.