Exported CA certificate, intermediary certificate, and user certificates from old Mikrotik hardware. This was done using a password on each certificate so it would preserve the private keys.
Imported all certificates into new Mikrotik hardware, starting with the CA certificate, then intermediary, then user certificates. All show up correctly, and worked as expected. Each certificate states it has the private key when you double-click on the certificate.
Now I need to revoke a specific user certificate, however I get the error: “Revoke Error - Not an issued certificate!”
The certificate does not have the “I” for Issued next to it, and double-clicking the certificate also doesn’t show Issued. Looking at the certificate’s “Status” tab does not show the CA either…
The old hardware is long gone unfortunately. I have all the exported, password protected certificates available still and can re-import if needed.
I thought I had all my ducks in a row - but seems safe to assume I screwed something up somewhere. Is there a way out of this mess without having to rekey everything? I just need to revoke this one certificate.
Thanks, I can export the certs (CA, Int, and User) with passwords successfully, but no dice on getting the “Issued” flag. I can’t sign existing certificates, gives an error: “Couldn’t start - At least one field specifying certificate name must be set!”. I think this is because the certificate is already signed.
I should note I have no trouble generating and signing new certificates, which correctly get the “issued” flag - just the imported certs seem to be broken somehow.
If you export the CA certificate and the issued certificates, the links between them indeed break as they are not exported. Do you need to revoke the certificate on an external CRL server or you just want to prevent the holder of that certificate from establishing a VPN connection to the Mikrotik itself?
Thanks sindy - yes, I need to prevent this user from establishing a VPN connection. Deleting the certificate (which it allows since it doesn’t recognize the Issued status) isn’t sufficient, since it was signed by the same CA as the VPN server’s certificate. Is there another work-around?
Background - this is an IKEv2 VPN using a single peer identity for many vpn clients.
It should be possible to create an individual identity, matching on that particular certificate, and give it a specific policy template group with no template in it. So that peer would be able to complete phase 1 but not create any policy.
First try whether it works using one of the peers with a certificate you don’t want to revoke.
Tested and confirmed to work… this particular certificate is black-holed now.
For others - you can have multiple Identities with the same Peer assigned, so long as the black-holed one has Match By configured to Certificate, which matches that user’s Remote Certificate specifically. Then as Sindy said, setup a Policy Template Group with no Templates under the Policy tab.
Appreciate it Sindy, I wouldn’t have ever thought of this work-around!
