Hi, I just tried to use our scep server to create an certificate+key to be used by CAPsMAN manager as CA.
When using the following commands to create the cert:
:certificate add name=capsman_ca common-name="capsman_ca" country="xx" locality="xxxxxxxxx" organization="xxxxxxxxxxxxx" trusted=yes key-size=4096 key-usage="digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign"
:certificate add-scep template=capsman_ca name=CAPsMAN-CA scep-url="http://scep/scep"
The cert returned from scep server is not flagged with ‘A’ (authority):
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired,
T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 K T CAPsMAN-CA xxxxxxxxxx 12312312312312312321...
Without that attribute it’s not usable as CA for CAPsMAN manager.
When exporting the certificate as pkcs12 and importing it to another device the A flag is shown and can be used to sign certs.
Removing and reinstalling it from pkcs12 file also adds the ‘A’ flag but removes the scep connection.
Tried this on RouterOS 6.47.
Any chance to get that working?