create certificates for ovpn are this correct?

plisken · April 29, 2019, 2:23am

Hello, i create certificates for my Mikrotik router to use OVPN

My question now is whether it can be used for all purposes or just ovpn
Are the sign KLAT, KAT correct because the wiki is different.

https://wiki.mikrotik.com/wiki/Manual:Create_Certificates
Any help is welcome

[admin@MikroTik] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
 #          NAME    CO.. SUBJECT-ALT-NAME                                  FI..
 0 K L A  T myCa    myCa                                                   14..
 1 K   A  T server  se..                                                   37..
 2 K   A  T client1 cl..                                                   6d..
 3 K   A  T client2 cl..                                                   c1..

tdw · April 29, 2019, 8:46am

The certificates can be also used for other types of VPN or for HTTPS. The server and client certificates should not have the “A” flag - did you enter each /certificate sign command individually, or paste them from the wiki?

Be aware the Mikrotik OpenVPN client does not check certificates and is susceptible to man-in-the-middle attacks, see https://janis-streib.de/post/mikrotik-ovpn-security/ and https://www.cvedetails.com/cve/CVE-2018-10066/

plisken · April 30, 2019, 5:45am

Hello, thanks for your reply.

I have copy and paste this from the wiki from Mikrotik.

I look to the given links.

Thank you.

tdw · May 1, 2019, 11:48am

Try entering each sign command one at a time instead of pasting the whole block from the Wiki