Hello
Why there is a difference between “invalid before”/“expires after” ???
See the picture … which one is right ?
Richard
Let’s break it down as mentioned in wiki :
Invalid Before : The date before which the certificate is invalid.
Invalid After : The date after which the certificate will be invalid.
Expires After : Days left until certificate expires.
In this case I have 2 questions:
- Is this locally generated or imported certificate?
- Is Your routers time set correctly and its showing precise time?
Hello
- Is this locally generated or imported certificate?
It is generated locally on mikrotik router - Is Your routers time set correctly and its showing precise time?
yes, time and date is correct
When i reboot the router, all entries are correct (also the entrie “Expires After”)
Over the time, the value “expires after” is no longer correct.
Its a RB4011iGS+5HacQ2HnD-IN with RouterOS 6.44.5 (Longterm)
18h later the router shows now:
That’s not correct when you look at “expires after” ?!?!?!?
So my question, when the certificate will expire ?? at the date or after the days shown ?!?!?!?
Richard
Check it in command mode or maybe Webfig. Winbox has known bugs in date/time handling that MikroTik won’t fix.
same thing in wegfig:
Screenshot is about 2 hours later … and the time in mikrotik for the certificate has about 4,5 hours past ???
Richard
here a screenshot of the client certificate on the LtAP (genrated on the RB4011 and imported in the LtAP)
The 26 Dec. is not in 6 days ?!?!??!!?!?
Richard
Please send us a generated supout.rif file from the device and if it is possible a certificate thats generated and exhibits this kind of issue to support@mikrotik.com .
ok i can send you the supout.rif and the webfig certificate (same issue there)
But i need an urgent info if the expire date is the right one or the day counter !
Richard
That is the behavior typical in winbox. Date/time running forward in the future because some offset is doubled or so.
(e.g. "last time up" or "last time down" in interface statistics is a date in the future)
Did not know it could affect webfig too. Try it in command mode.
in terminal the details are right:
…invalid-before=dec/02/2018 11:10:42 invalid-after=dec/02/2019 11:10:42 expires-after=6w2d23h8m21s
6w = 6weeks .. right ?
so it’s a webfig/winbox problem ???
@krisjanisj
do you still need supout + cert ?
Richard
Yes, please provide us with the supout.rif and certificate to support@mikrotik.com
@krisjanisj
mail sent
regards Richard
btw .. is there a way to extend the certificate in routerOS ? … or is the only way to make a new one with longer term ?
Richard
Certificate validity is baked into certificate itself, so it's not possible to extend it (in verbatim sense).
However, when using some proper certificate tools (e.g. openssl tools on linux), it is possible to issue new certificate (it'll have different serial number) based on same private key and request file, so the certificate will be identical to the old one except for serial number and validity data. Probably that's not possible when using ROS to do it though. And the benefit of not creating new private key is questionable at best (why miss opportunity to create key with safer algorithm ...)...