Dear All,
I think there is a bug exporting certificates in RouterOS 7.20.6.
There is my certificate key-usage:
Exporting the certificate and importing in “Trusted Root Certification Authorities” it comes to:
no matter if you export to PEM or PKCS12. Importing to Windows - same result.
I also try with key-usage=digital-signature,key-encipherment,tls-server.
As consecuences no validation of the certificates is possible.
Please fix this, Mikrotik Team.
Thank you in advance.
That is odd. I just did a quick test on 7.21rc2 with both Mac Keychain and openssl correctly showing same "Key Usage" as RouterOS generated.
So if I create a cert like OP's key usage screenshot, and then export it and use openssl x509 -in ./cert_export_signonly.crt -text, I get matching "Key Usage":
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 498805286110378490 (0x6ec1cc3d2b239fa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=signonly
[...]
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
1B:7D:A5:61:DD:94:37:A2:95:C3:DC:7C:AA:DE:3B:EC:B0:93:ED:7B
[...]
both are marked critical so Windows should also respect that, but...
I have some vague recollection from years ago that Windows does some weird stuff WRT to X.509 attributes (or has weirder rules). At end-of-day it is up to the OS certificate store to decide what OS wants enforce since these things are all just OID with PKI attribute meanings, not the keying material which in most cases all that's needed for some X.509 operation.
And don't have 7.20.6 nor Windows handy to test ATM, but will test at some point if I remember - perhaps it's a bug, but just on some versions of RouterOS