I have followed the general docs and also looked at the terminal output for the commands options, but they have not helped much.
Is there a full set of docs covering sub-menu /certificate/enable-ssl-certificate similar to for example, the SSH server docs?
Although I’ll do a follow-up post (unless somebody answers it here), the detail I am after is if it is possible to specify multiple hostnames within a ACME certificate request.
I wish to address my router by multiple names. One example use case here, is targeting SSTP by different names for different purposes, allowing me to migrate away just one of those SSTP use cases elsewhere via DNS, whilst retaining the other and all done transparently to the user. In this case, it’s clear the certificate offered must have multiple applicable SAN entries on it.
Thus, does the enable-ssl-certificate allow for multiple names, and if so, are there example commands?
Generally, certificates are allowed to have more than one Subject-Alt, in fact it’s quite common, and frequently they include both fqdn and ip type SANs. Mikrotiks can send these along nicely.
There may be another issue, where you would like to send different certificates (or chains) based on SNI. Maybe others can be of help here, but I’m not sure Mikrotik’s web server supports this. (I would venture to assume in fact that it doesn’t.)
enable-ssl-certificate is indeed not very well documented. However this refers to another matter altogether: getting and renewing Let’s Encrypt certs automatically by the router itself. I don’t really think it was meant to support more involved scenarios.
I’m not looking to worry about it returning specific chains based on the likes of SNI. I’m happy for it being capable of only returning the one certificate.
My focus relates to how to generate such a single certificate using enable-ssl-certificate, that contains two or more SAN entries. I’ll not get into the possibility of using wildcard certs (even if it could simplify things, or if it is even possible), I’m just after two or more SAN entries.
Thus that is the question, how do I structure a command that would fulfill that?
I’m assuming from the fact you indicate it may be possible, that specifying multiple dns-name values against the command will allow for multiple SAN entries in the single requested certificate?
which worked on 7.20beta. You can include MikroTik’s name as well if you want. And while I didn’t test more than two, dns-name= is a comma separated list.
Now the catch – I believe – is you must use the DNS on port 80 authentication. There are some newer ACME methods supporedt but – I believe – they only apply if you’re using the built-in DDNS name. Or that what I found in a quick test, on beta version. But if you open port 80 (/ip/services enable www) & in /ip/firewall too, before running enable-ssl-certificate then Let’s Encrypt can verify you “own” the IP being registered. But it does that via port 80 on RouterOS.
% docs could be improved.