Hi Sindy,
Thanks for the detailed reply, I may have confused you a bit I think with my mentioning of Lets Encrypt. The LE certificate was generated automatically by my MT router and is only used AFAIK to enable the ‘www-ssl’ service, in ‘IP/Services’. I only mentioned this LE certificate because it’s my example of one done correctly as far as the server cert is concerned, the CA aspect differs because LE is a real CA compared to my own fake CA scenario. So what I was trying to explain was the LE cert has two category letters next to it in the list of certs. ‘KT’, indicating that the private key is present and the cert is trusted. I’m assuming my own generated TLS Server private key & Cert (items 5&6 from my numbered list in the OP) need to be imported to MT and would show the same status categories as the LE one, unless I have configured CRL in mine which may show an additional category status character.
Then I went on to ask, out of the private keys and certs that I’ve created offline (not on the MT router), (8 items in the numbered list in the OP), which of these should be imported to the MT router?
I think the part you mention about CSR is not relevant to my use case. I’m not sending any certs to a CA via a CSR, I’m creating my own indirectly via OpenSSL using the XCA application. With this application, it generates private keys, self signed CA root certs, ICA’s, end entity certs, CRL’s, even vCalendar exports. This information is all password protected in the integrated database embedded in the application which resides on a protected laptop inside my LAN. So the private keys are generated inside my LAN and aren’t seen by anyone. Unless the private keys for my CA, ICA and client certs are required on the MT router then this won’t ever have even seen them, so surely more secure than generating all of this on the MT router itself.
Moving on to your last two bullet points regarding the CA’s and the chain of trust. Does it make any difference if the CA and ICA are imported individually to the MT router or a client device or should they be exported in a chain file, such as a PEM chain file for the CA’s without the private keys?
I’m not using the Lets Encrypt provided cert for the VPN set up. I have the DNS for my own domain set up with a sub domain, vpn.mydomain.tld and an A record pointing to my fixed IP provided by my ISP, (WAN IP). Therefore I used the ICA to sign my own XCA home made end entity cert. for TLS Server Auth. with a common name and subject alt. name matching vpn.mydomain.tld. I’m assuming this server cert should be imported to the MT router along with its private key as it is a similar cert. to the one that exists from Lets Encrypt, except that refers to mydomain.tld rather than a sub domain of it. Can my server cert that was made in XCA be exported either as a separate PEM .crt file along with a separate export of the private key (unencryted key .pem file or encrypted key PKCS #8?) or the cert. and the private key as one encrypted PKCS #12 .pfx file?
Lets say I’m ignoring the RADIUS server option at this time, how should I export the client certificates for importing to client devices such as Windows? Should this be an encrypted PKCS #12 chain file containing the complete cert. chain and the private key? I concur on importing into the machine store rather than the personal store on Windows. The Windows 10 inbuilt VPN connection process only requires the server URL, VPN type: IKEv2, Type of sign-in info: General authentication method. In the corresponding WAN Miniport network adapter settings, authentication is set to ‘Use machine certificates’. I don’t think it matters too much if it doesn’t ask for a password as the laptop is protected well anyway including the BIOS.
I am planning on connecting a few devices, Windows and Android based so each of these will have a client cert. that is also stored on the MT router and is indeed referred to in /ip sec identity. Thanks, I acknowledge your point then that the private keys for the client certs. should not be on the MT router.
As for the CRL solution, at the moment my understanding is as follows:
The MT complains if referring to the CRL Distribution Points with a https URI, as it doesn’t like that protocol according to the MT ROS log. It also complains if the CRL has been produced in .der format.
CA Root, has CRL Distribution Point: critical, URI:http://crl.mydomain.tld/ca.crl
ICA, has CRL Distribution Point: critical, URI:http://crl.mydomain.tld/ca.crl
but the end entity certs (servers and clients) have a CRL Distribution Point, pointing to a CRL generated by the ICA that signed it, e.g., CRL Distribution Point: critical, URI:http://crl.mydomain.tld/ica.crl
I may have different ICA’s for home lab use to create a logical separation of purpose to these as I believe it makes cert. management more logical, so I may also adopt: CRL Distribution Point: critical, URI:http://crl.mydomain.tld/ica{-purpose}.crl that ties in with the naming convention of the related ICA.
This doesn’t however fit with the MT help docs. here https://help.mikrotik.com/docs/display/ROS/Certificates. That suggests making 3 self signed certs which are all CA’s and only the ServerCA one has the CRL flag shown next to it. I don’t feel that is a good example as why would you produce self signed CA’s and not sign a server or client end entity cert. with only one self signed CA cert or ICA? 
For reference, here are the links for XCA for anyone wondering what this is:
https://www.hohnstaedt.de/xca/
https://www.hohnstaedt.de/xca/index.php/documentation/stepbystep
The above documentation suggests the CRL info being added to both a CA and a CA signed host cert. That’s what leads me to think they should all have the CRL info added but referencing a distinct file location that relates to the CA that signed it.
Appreciate if you or whomever can clarify the points I’ve raised please…
