Certificates: How to create CA or import CA

kccoyote26 · June 16, 2014, 3:39pm

I’m trying to create a CA on RouterOS 6.15.

I’ve read the instructions on http://wiki.mikrotik.com/wiki/Manual:Create_Certificates , but don’t know what to put for ca-crl-host.
As such, I can’t create the CA… (putting the local address gives me “wrong CA key usage with CRL”. )

So I created certificates with Easy-RSA and imported them, but the results are not what they need to be:

Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, 
I - issued, R - revoked, E - expired, T - trusted 
 #          NAME   COM.. SUBJECT-ALT-NAME                                   FIN..
 0        T cert_1 ca    email:admin@shpe1                                  97f..
 1 K      T cert_2 mik.. email:admin@shpe1                                  171..

As you can see, cert_1 isn’t marked as authority (cert_2 is the server certificate).
Also why can’t I change the names of the entries??

How can I do this properly so I can sign certificates from the router and have them where I need them rightaway instead of keeping a store where I don’t want/need it and having to upload the files?

Many thanks!

kccoyote26 · June 17, 2014, 8:23am

I gave up on signing on the router itself, since it didn’t seem like I could export the key for clients.
Keys generated by EasyRSA 2.x didn’t seem to get recognized properly either (cfr CA didn’t get recognized as authority), but success with EasyRSA 3.x: I imported the CA certificate and signed a csr created for the router and now have a functioning authority and server certificate on the router!

Anyway, as ususal: you spend a lot of time looking for a solution, and as soon as you ask for help somewhere and before anyone can respond, you find the solution!

rextended · June 17, 2014, 11:05am

This create CA, simply replace the field in red or violet, do not touch the other, with right value.

If you use space remember to put the string between “”

Syntax is only for 6.7+, on other 5.x versions or pre 6.7 versions, i do not know if it works.

/certificate add name=self-signed-certificate common-name=> common-name > country=> it > days-valid=> 365 > key-size=2048 locality=> locality > organization=> organization > state=> state > trusted=yes unit=> organization-unit > subject-alt-name=DNS:> my.local.net> ,IP:> 192.168.0.101> ,email:> my@email.it > key-usage=digital-signature,key-cert-sign,crl-sign;
/certificate sign template=self-signed-certificate ca-crl-host=> 192.168.0.101 > name=> common-name > ca-on-smart-card=no;

THE TWO FIELDS ON VIOLET MUST BE EQUAL.

After that you can create and sign your own certificates with any key-usage you want.

mrz · June 17, 2014, 11:27am

You need crl-sign in key-usage if you want to use CRL.

Wiki example is fixed, too.

As for not able to export key for client, when exporting you need to specify passphrase, it can be seen in wiki example
http://wiki.mikrotik.com/wiki/Manual:Create_Certificates#Generate_certificates_on_RouterOS

If you do not specify passphrase then private key is not exported.

kccoyote26 · June 17, 2014, 12:41pm

Thanks guys, really appreciated!

Now that we’re on the topic, is there a way to tag the certificate as a server certificate so that it contains nsCertType=server?

Adding tls-server to key-usage does not seem to do the trick, because the OpenVPN client with ‘ns-cert-type server’ still complains that it is missing.

Wouldn’t this be something worth adding to the wiki as well or is this so common that I should have known that it doesn’t export the key without a passphrase?

mrz · June 17, 2014, 12:51pm

manual has this noted in command description

http://wiki.mikrotik.com/wiki/Manual:System/Certificates#General_Menu

export - Export certificate to file. When export-passphrase is specified, certificate will be exported with encrypted key.

Now that we’re on the topic, is there a way to tag the certificate as a server certificate so that it contains nsCertType=server?

You can set key-usage tls-server and tls-client

lawa256 · February 5, 2015, 1:47pm

Hi, the procedure in this thread works well, I am just not clear about two points:

How to export signed CRL file to be published at public web site
How to reference such a public site. The system currently accepts only IP address, which is translated into hardcoded reference.
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://192.168.50.1/crl/9.crl

Thanks

th0massin0 · June 12, 2016, 12:58pm

I am looking forward that information too: http://forum.mikrotik.com/t/self-signed-certificates-and-crl/98965/1