After reading a LOT of topic, wiki and Google, I haven't found a suitable way to generate ssl keys for RouterOS (2.9.34). Better: I found the way, but RouterOS doesn't want it!
Winbox wouldn't to import my key/certificate. I try to follow the howto for certificate import, but no success...when I try to give a "decrypt" command, he ask me the passphrase, but no keys decrypted follows...I'm (quite) desperate!
This is what I do:
- generating the private key and certificate in this way:

- two file are generated: hotspot.mynetwork.net (certificate) and hotspot.mynetwork.net.key (private key)
- upload the two file via FTP to an RB153 with RouterOS 2.9.34
- login via telnet to the RB153:


Someone has never set-up a hotspot with SSL autentication?
Thanks in advance

73 de IZ3HAD

No one?

try running the import command once more

Thanks Normis! I followed the official HowTo http://www.mikrotik.com/docs/ros/2.9/root/certificate, but it is incorrectly (in my opinion).

Edit:
follow my personal HowTo.

but did it work then? did you get your hotspot to run with SSL?

Sure

Could someone please correct the misleading thread topic?
We're talking about SSL (!) certificates here, not SSH...

Best regards,
Christian Meis

Excuse me for the mistakes...I've just changed the title of the topic.

RB 112-153 Secure Hotspot HowTo with HTTPS (optionally HTTPS + RADIUS)

This HowTo is intended for use on MikroTik RouterBoard 112/153, with RouterOS 2.9.34.

Open your winbox utility, and connect to the board through MDP (or do a "/system reset" on a board already in use):
Click on "New Terminal".

Now we are going to control our interfaces, and to enable/disable whoes of our interest (I have a RB 153):

Set a name for the Interfaces (without space on thw wireless interfaces, otherwise the hotspot setup will fail, I think that's a bug).

Now, we are going to setting-up the wireless interface

Set an IP address for the "internet" interface, it's default gateway and it's dns. The option allow-remote-requests is to speed up the dns by caching the local request to the MikroTik box.


Now, create a certificate on a Linux Machine. A script could be the follow:

Then, give it the execution properties and execute it:

Give your password three times.
Give all the information required (CA, email, ecc.).

Two file are produced:
--- hotspot.mynetwork.net is the certificate
--- hotspot.mynetwork.net.key is the private key

Put this (via FTP) file on the root of MT Board.
Return to the MT Board CLI and give the following commands to import the certificate and the private keys:


It's time to set-up your hotspot.

To force the authentication mode to "only HTTPS", type this:

If you have a freeradius server, add in /etc/raddb/clients.conf a new entry like this:

And, on the RB CLI:

Now you have a secured hotspot! Connect your client to the MT, and type any address on Firefox: you will get a certification approval request, it's yours!
Hints
If you disable Connection Tracking, the HotSpot will not be able to redirect your connection.

P.S.
I found a perfectly working guide on a previous topic to made this config, but there was nothing on the SSL side, and no or erroneus info found for a "secure" hotspot authenticating on the rest of the forum, so I decided to made a new howto.
Thanks to Normis for it's hint.

73 de IZ3HAD

If you are example are 100% working, you can publish it in MikroTik wiki,
http://wiki.mikrotik.com

Sure, it's 100% working. I resetted my board and try to follow my howto as posted to made a hotspot. I powered on my laptop and it gives an IP from the hotspot DHCP's. Then, after started FFirefox, it request me to accept the certificate and show up the login page. The login, redirect, logout work perfectly.
I'm trying to register myself on wiki, but it appears to have some problem...I'll try later and I'll insert my howto.

73 de IZ3HAD

Can you create an unsigned certificate using a Linux liveCD? if yes, which liveCD do you recommend. Ta

I tried this tutorial and it works really good, thanks very much, everything is very well explained and you should definitely publish it in MikroTik wiki.

I don't know if the live cds are able to do this, if they have OpenSSl installed, i'm pretty sure it is possible.Then you just need an ftp client (I used Filezilla) and ssh or telnet to do the rest.
Try to do everything on linux, because if you import your self signed certificate to windows it is possible that the properties of the file change and the certificate wont work. But you can try

Well I think there is no use on having linux after all, all you need is a version of OpenSSl for windows, for example this one:
http://www.slproweb.com/download/Win32O ... 0_9_8g.exe

After install go to the /bin directory and run the executale file, you can then create your own certificate and private key with this two simple commands:

genrsa -des3 -out private.key 1024

req -new -x509 -days 365 -key private.key -out certificate.pem

Then follow the rest of the tutorial

is there a way to have Secure Hotspot without it having to except the SSL certificate? Mine is signed by a CA and it says unknown Issuer?

Any Ideas??

Thank you for this straight forward tutorial! Worked like a charm

Darci