Since I have an internal DNS server for my home domain, I wanted my Unifi Controller to present under that domain.

There's a knowledge base article, but that didn't work for me, probably cuz I'm not much of a Java guy.

In the end, a little mucking around with keytool and some googling got me going.

First, backup /usr/lib/unifi/data/keystore. That will give you a fallback.

After you have your keypair (Let's Encrypt is your friend, or a self-signed pair), then on a box with java:

openssl pkcs12 -export -name unifi -in cert.pem -inkey key.pem -out keystore.new

The "-name unifi" adds the alias to the keystore, which is needed by the controller. It will also ask for the password for export. Use:

aircontrolenterprise

You can check the results (using the password above):

keytool -list -keystore keystore 
Enter keystore password:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

unifi, Feb 8, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 69:83:83:A0:B5:C8:54:9E:EA:46:55:A8:A0:3C:F7:81:A5:94:7E:8A

Copy keystore.new into /usr/lib/unifi/data/keystore and restart the controller. Check the log for any silliness (/var/log/unifi/server.log). Revert to the saved keystore file should your java frustration level hit critical.