Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

ipavlik · November 14, 2024, 12:19pm

Hello,

I’m facing a problem with certificate signing on RouterOS 7.16.
I have CLIENT-tpl template certificate with defined days valid attribute (e.g. 365days)
I have valid CA certificate, not expired.

I created and signed certificate with commands:

/certificate add name=vpnuser01 copy-from="CLIENT-tpl" common-name="vpnuser01"
/certificate sign vpnuser01 ca="CA" name="vpnuser01"

After signing process was done, certificate was expired with attribute values:

Invalid Before: Jan/01/1970 02:00:00
Invalid After: Jan/01/1970 02:00:00

My clock is synchronized with NTP server and time is correct.
Recently, I was generating my certificates exactly same way with no issues.
Am I facing a bug?

Thanks

carrotik · November 16, 2024, 1:15pm

You should describe what you’re trying to do. From what I understand, you’re trying to sign a client certificate from the Routers CA.

From the little I played with the Mikrotik so far, this should be working fine.
I followed the docs:
https://help.mikrotik.com/docs/spaces/ROS/pages/2555969/Certificates
and more or less copy&pasted:

/certificate
add name=CA-Template common-name=CAtemp key-usage=key-cert-sign,crl-sign
add name=Server common-name=server
add name=Client common-name=client
sign Server name=ServerCA (yes that makes no sense here in practice, testing :) )
sign Client ca=ServerCA name=testtest

print 
Flags: K - PRIVATE-KEY; A - AUTHORITY; T - TRUSTED
Columns: NAME, COMMON-NAME, SKID
#     NAME         COMMON-NAME  SKID                                    
0 KAT test         test         8edeb8371f2d99b45bc78499776159852bd1c81a
1 KA  test2        test2        23220e94100e7740f7f1283965030f58fa14be0b
2     CA-Template  CAtemp                                               
3 KAT ServerCA     server       66505d111a6b5e96bdf928ca3b52884b438812de
4 KA  testtest     client       ce977beb05b8b2782a970e1a8004462b68ee6bfa

my certificate came out to be

 4 K  A    name="testtest" digest-algorithm=sha256 key-type=rsa common-name="client" key-size=2048 subject-alt-name="" days-valid=365 trusted=no key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client ca=ServerCA 

           serial-number="1A6A093FBDF8D2F9" fingerprint="d5c8cb725e03a281cef352f9a6c8275979b3f6a8463be2efc5079a24b494979e" akid=66505d111a6b5e96bdf928ca3b52884b438812de skid=ce977beb05b8b2782a970e1a8004462b68ee6bfa invalid-before=2024-11-16 14:04:49 

           invalid-after=2025-11-16 14:04:49 expires-after=52w23h53m29s

May help to run a

certificate print detail

carrotik

sindy · November 16, 2024, 1:39pm

It indeed looks like a bug to me. I am also signing the client certificates using a CA on Mikrotik, but using the “correct” way where the private key is generated on the client itself along with a certificate signing request, the request alone is then transferred to the CA Mikrotik and signed there using certificate sign-certificate-request, and the signed certificate gets imported back on the client first and the locally generated key next, and I haven’t experienced such a behaviour yesterday when signing a certificate request using 7.16.1. So if you can, try this way. If your client does not allow to generate certificate signing requests (many don’t), you can still use certificate create-certificate-request on the CA Mikrotik itself instead. So the private key will be generated there, and much like when you directly sign the template, you’ll be able to import the key and the signed certificate to the client (or maybe you’ll have to import the key locally and then export certificate+key in pkcs12 format if that’s the only format the client can import).

In any case, it would be nice if you could create a supout.rif file right after the certificate with wrong dates gets generated, and open a support ticket with Mikrotik. Without that, the bug can never be fixed.

downlots · November 21, 2024, 7:38am

I can also confirm this bug. I am using version 7.16.1, and I have this behavior.

The same procedure applies to another router that runs 7.15.3 and works properly, so the issue is imported in 7.16.1.

This is why I am not running the same version in all infrastructure!

jakoobcz · December 1, 2024, 6:59pm

Same story here, upgraded my Mikrotik to 7.16.2 and a freshly generated certificate is invalid.
/certificate print detail shows:
invalid-before=1970-01-01 02:00:00
invalid-after=1970-01-01 02:00:00

Currently, I can’t create a VPN connection for our new colleague. I would appreciate any help or workaround. Thanks

sindy · December 1, 2024, 8:12pm

Have you tried the procedure I have suggested in my previous post?

jakoobcz · December 4, 2024, 9:40pm

Truth be told, I’m not skilled in certificates. I’m following a setup for an OpenVPN, which creates the certificate (key) directly on the Mikrotik. However, if this doesn’t get fixed soon I might need to learn a new way (workaround).

EDIT: Reported using Mikrotik service desk (SUP-173239) with a link to this thread.

matiss · December 11, 2024, 2:13pm

Hello,

The issue is fixed in RouterOS 7.17rc versions