Certificate Key Import not possible on v7.7

fwedvteam · January 13, 2023, 1:47pm

Hello,

starting with RouterOS 7.7 i am not able to import a certificate key. The certificate is created with EasyRSA that we use a long time ago. I can import the certicate successfuly but not the key. With ROS 7.6 it works without any problems.
I got no error, it does nothing.
There are changes to certificate import in the changelog. Could it be a bug? How can i find out, where the problem is?

Tell me if you need some more details.

Thans a lot!

Best regards
Frank

kalderista · January 16, 2023, 12:00pm

Hi,

I have same issue too.

Regards

strods · January 16, 2023, 4:44pm

What kind of algorithms do you use? Starting from the RouterOS v7.7 some of the very old mechanisms as, for example, pkcs#7 encryption method “pbeWithSHA1And40BitRC2”, are not supported, since nowadays they can not be considered as “secure”.

fwedvteam · January 17, 2023, 8:33am

Hi,

thanks for your reply. We are using “sha256RSA”

Best regards
Frank

eworm · January 17, 2023, 10:17am

Works for me… So this is not a general problem with RouterOS 7.7. Can you give more detail on your certificate?

fwedvteam · January 17, 2023, 11:53am

I can, but tell me what you need. If it’s not clear, we have no issues with the certificate, only with the Key.

RichieB · January 18, 2023, 5:31pm

We were seeing the same problems with certificates generated by EasyRSA. Up to v7.6 no issues, starting the v7.7 they refuse to import. The output is:

> /certificate import file-name="test.p12" name="test" passphrase=1234
     certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 1
  keys-with-no-certificate: 0

EasyRSA uses OpenSSL to generate the p12 files with the default PKCS#12 algorithms. This gives:

# openssl pkcs12 -in test.p12 -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: 56 48 D7 2B F7 AA D7 4A 4A DB 80 16 90 D1 38 F9 C7 5C A3 44
    friendlyName: my test
subject=/CN=test
issuer=/CN=test CA

As stated above pbeWithSHA1And40BitRC2-CBC is no longer supported in v7.7. The solution is to change the ciphers in the OpenSSL pkcs12 export:

$ openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES ....
$ openssl pkcs12 -in test.p12 -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: 56 48 D7 2B F7 AA D7 4A 4A DB 80 16 90 D1 38 F9 C7 5C A3 44 
    friendlyName: my test
subject=/CN=test
issuer=/CN=test CA

For EasyRSA you can set this in the appropriate line of the easyrsa script:

pkcs_opts="-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES"

fwedvteam · January 19, 2023, 8:36am

We do not have PKCS12, we use x509 Certificate with RSA key.
Signature Algorithm: sha256WithRSAEncryption
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)

fwedvteam · February 3, 2023, 2:02pm

For me it’s working again with routeros-7.8beta3.

Thanks!

eworm · February 3, 2023, 7:10pm

That’s good news. Looks like I found a case where it is failing for me as well… Any chance we will see this in something like version 7.7.2?

depth0cert · February 4, 2023, 2:36pm

SUP-106766 private-keys-imported: 0

NETINSTALLED 7.8beta3

[admin@MikroTik] > /certificate add common-name=r1-ca days-valid=3652 key-size=prime256v1 key-usage=key-cert-sign,crl-sign name=r1-ca subject-alt-name=email:r1-ca
[admin@MikroTik] > :do {/certificate sign [find name=r1-ca] name=r1-ca} on-error={:delay 3}
  progress: done
[admin@MikroTik] > /certificate export-certificate r1-ca file-name=r1-ca export-passphrase=passphrase type=pem
[admin@MikroTik] > /certificate remove r1-ca
[admin@MikroTik] > /certificate import file-name=r1-ca.crt name=r1-ca passphrase=passphrase
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0

[admin@MikroTik] > /certificate import file-name=r1-ca.key name=r1-ca passphrase=passphrase
     certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0

SergioGC · February 4, 2023, 5:11pm

I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate

KeitaroBR · February 18, 2023, 12:25am

This worked for me as well!

arnaldo · February 22, 2023, 5:13pm

I was also having problems importing certificates+key in PKCS#12 format, using a file generated by OpenSSL from PEM files with key and certificate (Lets Encrypt - using a script that is a few years old).

I can confirm that the by default OpenSSL will use pbeWithSHA1And40BitRC2 unless RC2 is disabled or -descert option is used. By using -descert the resulting PKCS#12 file uses pbeWithSHA1And3-KeyTripleDES that is (still) accepted by ROS 7.7.

Knowing that pbeWithSHA1And40BitRC2 is no longer accepted was key. A small fix in my script and voila!

MetUys · March 6, 2023, 12:20pm

I’m having the same problem. just implemented two new Mikrotiks freshly done with netinstall to v7.8.
I’m using the Posh-ACME service (targeting ZeroSSL) to generate the certificates on another machine and those are being put onto the units to be imported. I have updated to the latest version and have added the “-UseModernPfxEncryption” to the certificate generation process, but I am still running into the issue.
When I import the certificate files (pfx full chain + key file) it gives me this output:

     certificates-imported: 0     
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 1

Where am I going wrong?

PS: key file imports, its the pfx that is now not importing (did on previous versions).

sebus46 · June 17, 2023, 2:37pm

Lets Encrypt client 0.38 le64.exe

The created crt does indeed have 2 blank lines at the very end

That was not a problem ever up to 6.48.7
Now upgraded to RB4011 which came with factory 7.8 and these 2 lines cause issue of not importing crt (but also not failing explicitly)

Once removed, the import works again. IMO that is a bug

sebus

venc0r · July 16, 2023, 1:00pm

I cloud not import the root ca cert of let’s encrypt (ISRG Root X1). In my case I had to covert the file to unix line endings, the downloaded one had windows.

  model: RB960PGS
  revision: r2
  firmware-type: qca9550L
  factory-firmware: 6.44.6
  current-firmware: 7.10.1
  upgrade-firmware: 7.10.1

This can be done in any good editor, in my case vim

:set fileformat=unix

to save and quit in vim

:x

Milan · August 24, 2023, 8:32am

Same problem here. Will try to update to v7.11 where some certificate bugs are fixed (as mentioned in changelog).

iotstool · January 9, 2024, 8:32pm

Error that RouterOS v. 7.13.1 does not import certificate with CRLF line endings (in editor visible as ^M$) seems to be persist. My *.pem file was downloaded with Firefox browser on linux system.

I’ve converted line endings with vim and all is ok.

MetUys · April 4, 2024, 10:56pm

I switched to a full chain cer+key instead of my original full chain pfx+key, this solved my issues on all versions I have tried it on (old and new).
I have not tested yet on v13.5 (or newer), but I’m confident my problem is no more.