certificate between two routers

Myron · August 5, 2010, 9:01am

hi guys

is there any basic guide how to negotiate certificate between 2 router i have my IPSEC runs works well but in preshared key only, is there any step by step guide create certificate in every router.

thank you

fewi · August 5, 2010, 1:38pm

http://wiki.mikrotik.com/wiki/Manual:Create_Certificates

That should work well for OpenVPN.

Myron · August 5, 2010, 2:24pm

hello fewi thanks for your quick response i have newly created certificates i saw in /file what is the meaning of request.pem and key.pem? to be honest this is my first setup of certificate hope you understand my side what is my next step of this fewi?

[admin@kamote] /file> print

NAME TYPE SIZE CREATION-TIME

0 certificate-request.pem .pem file 794 aug/05/2010 22:18:07
1 private-key.pem .pem file 963 aug/05/2010 22:18:07

thanks

fewi · August 5, 2010, 3:09pm

If you’re going to follow the steps I originally posted you can delete those files. They are a private key and a certificate request created on the router via “/certificate create-certificate-request”.

The short version (yes, that really is the short version):

Public/private keys are pairs of keys. Anything encrypted with the public key can only be decrypted by the private key, and vice versa. You never show your private key to anyone at all and keep it as secret as you can, and you give your public key to anyone that wants it. Now if you encrypt something with your private key, anyone that has the public key can verify that you must be the one that encrypted the message, because no one else has that private key, and it’s the only thing that could have encrypted something the corresponding public key could decrypt. If I want to send a message that only you can read I encrypt it with your public key, because they only key that can decrypt that message is your private key, and you’re the only one that has it.
A hash is a way to take a bunch of data and generate a unique fingerprint of that data. Hashes always generate the same output given the same input. It’s impossible to reverse the process and get the original data just from the hash. If someone gives you a bunch of data (a file you downloaded, a text file, a digital certificate) together with the hash of that data, you can create the hash of the original data yourself and compare the two. If they match you can be sure that the original data hasn’t been modified since the time the hash you’re comparing to was generated.
CA are certificate authorities that are used to sign digital certificates. Users and machines consciously decide to trust specific CAs for that purpose.
Certificates are bundles that contain someone’s public key together with a start and expiration date (the time during which the certificate is valid), as well as a digital signature from the CA. Each user and machine that uses a CA to verify someone else’s identity has the digital certificate of that CA, which contains that CA’s public key. When a CA signs a digital certificate for a user or machine it takes the hash of that certificate and encrypts it with its private key. Now I look at your certificate - I can see the certificate itself and I can create a hash of it. I can then take the digital signature of the CA for that certificate and decrypt it with its public key and now have the hash of the certificate that the CA signed. If the two match, you are showing me the same certificate that you showed the CA when you got it signed. I inherently trust the CA to sign people’s and machine’s identities, so now I trust that you are you.

There’s two ways to get a digital certificate from a CA for your router.
You can either use “/certificate generate-certificate-request” to have the router generate a private key of its own (private-key.pem) together with a digital certificate signing request (certificate-request.pem). You can take that CSR (certificate signing request) and feed it into a CA and sign it there. The result is a digital certificate that can be unlocked with the corresponding private key (private-key.pem).
Alternatively if you control the entire CA infrastructure you can just create the private key and signing request right on the CA and sign it, and then just transfer all the necessary files over to the router. The link I originally posted outlines how to do that.

Unfortunately I think that’s basically as far as I can cover this in this forum. PKI is a general topic that at first glance is sort of complicated, but it isn’t specific to RouterOS at all and there’s lots of websites that explain everything in detail. Google should have many tutorials. It’s worth understanding in detail.