Openvpn, certificates, CA
Hi guru!
Is CA not required in mikrotik openvpn server and mikrotik openvpn client?
In practice found that mikrotik do not match even server and client certificate at all. It’s strange and bad. (or I am wrong?).
Mmmkey.
Let’s begin.
In this page
OpenVPN#Server_configuration
we know
“On RouterOS, all you have to do is to upload them via ftp (ca certificate and router certificate and private key) and import them with /certificate import”
We interested in task to login from client to openvpn server by login/password/certificate.
Certificates were created with this help
Manual:Create_Certificates
there are:
openvpnclient1.crt
openvpnclient1.key
openvpnserver.crt
openvpnserver.key
ca.crt
ca.key
#1. Do as book says. (Require client certificate checkbox is set to on).
Imported to mikrotik server:
ca.crt
ca.key
openvpnserver.crt
openvpnserver.key
Imported to mikrotik client:
openvpnclient1.crt
openvpnclient1.key
ca.crt
ca.key
That’s enough. Try connect by login/password and this set of certificates – status connected. Very well.
#2. The same but remove ca.crt, ca.key from mikrotik client openvpn.
Reboot for clean experiment.
server:
ca.crt
ca.key
openvpnserver.crt
openvpnserver.key
client:
openvpnclient1.crt
openvpnclient1.key
It works. Status connected. Strange…
#3. As above but remove ca.crt, ca.key from mikrotik server openvpn.
Reboot for clean experiment.
server:
openvpnserver.crt
openvpnserver.key
client:
openvpnclient1.crt
openvpnclient1.key
It works. Status connected. Strange…
#4. Import to mikrotik client openvpn wrong certificates (ca.crt pair for example) and use for client connection
/interface ovpn-client … certificate=CA … name=ovpn-client password=sdkfjh profile=ovpn user=…
Reboot for clean experiment.
server:
openvpnserver.crt
openvpnserver.key
client:
ca.crt
ca.key
It works. Status connected. Strange…
#5. As above but use server certificates on both sides:
Reboot for clean experiment.
server:
openvpnserver.crt
openvpnserver.key
client:
openvpnserver.crt
openvpnserver.key
It works. Status connected. Strange…
#6. As above but use client certificates on both sides:
Reboot for clean experiment.
server:
openvpnclient1.crt
openvpnclient1.key
client:
openvpnclient1.crt
openvpnclient1.key
It works. Status connected. Strange…
WTF&WHY?
added:
month ago i generated certificates and keys for other mikrotik. now try use this old client certificates for mikrotik openvon client. and good news - no connection.
that means mikrotik taking certificates into account. but effect of them is a big question.
Thnx 4 ur time.