@patrick I'm pretty sure the Ubiquity device in this case would be on a private network with a private IP and hostname, right? If so: You can't get certs for a private hostname signed by a public CA. Before a CA can sign a certificate they have to verify the identity of the hostname being applied to use on the certificate. If it's not a public hostname that can be verified there's no way to get a signed certificate for it.
The typical method to connect to an SSL based service that's hosted locally on your network is to do an "internal" sign (Or self sign) which would require adding trusted keys to the Hubitat "truststore" (aka "cacerts" in Java). Internal signing is most common: With an internal sign it's not signed by a "public" CA but rather by a private one, like perhaps Ubiquity themselves internally signs it. However Ubiquity's CA cert is not going to be in the list of CAs trusted by Hubitat, so there needs to be a way to import additional "trusted" CAs into HEs truststore/cacerts database.
So this is absolutely a problem that would likely need to be solved on the HE side as we would need a way to add trusted signing keys to the HE trust store. Alternatively you could add a feature in HE that allows HE to connect to untrusted SSL servers, but that would be a big security risk.
The only way this could be solved on the Ubiquity side would be if they somehow managed to use a public hostname on the private network and sign the SSL cert with that public hostname and use some sort of internal DNS server to map that public hostname into a private IP address. Not impossible but not exactly easy.