In my ipsec config I do have 2 certificates in identity:
/ip ipsec identity
add auth-method=eap-radius certificate=r10.pem_0,r11.pem_0 generate-policy=port-strict mode-config=ikev2-config peer=ikev2-peer policy-template-group=ikev2-group
With script, I want to add one more certificate here without erasing r10 and r11 but when executed script below, it will add new one and erase r10 and r11. Do I have to do something like
certificate=$certName,r10.pem_0,r11.pem_0
or maybe is there any “cleaner” method?
Script:
:local certName [get [find where common-name=$dnsName] name]
/user-manager set certificate=$certName
/ip ipsec identity set [find peer=ikev2-peer] certificate=$certName
Well if you want to have two clients at once using one cert each then you must add it as two different certs.
Running the set command on already existing cert will alter parameters for that cert.
Well, I want to have one identity using 3 certs: r10, r11 and letsencrypt. Script is for letsencrypt renew, it deletes old one and is suposted to add new one to ipsec identity while not erasing r10 and r11.
As I said
set [find peer=ikev2-peer] certificate=$certName,r10.pem_0,r11.pem_0
works but I was wondering if there is any command to just add new cert to aleeady existig r10 and r11.
That would break the basics of PKI.
Perhaps you can add these as a pool of users?
I have no idea about that. I was just trying to fixy my ikev2 connection after lestencrypt july’s update(http://forum.mikrotik.com/t/ipsec-ikev2-radius-let-s-encrypt-problem/177569/1) and that was working.
Can you tell me how to solve this in compliance with good practice?