As far as I know, the URL for a CRL is encoded in the actual certificate, in case of IPSEC the user’s certificate that it sends to the router for authentication. However, RouterOS doesn’t seem to consult the CRL listed in these certificates. Instead it only seems to consult the CRL of the trusted CA certificate. However, these contain the link to a list that lists revoked certificates from the parent CA and not the intermediate CA. In my opinion the RouterOS implementation is wrong. Of course I could add the CRL URL for a CA into the CA certificate but this sounds wrong.
hi all
yep this is actually problem
I have RouterOS 6.44.6, and my CA based on Microsoft CA service.
IKEv2 certificate for client create by my CA and imported to mikrotik. In certificate store on mikrotik I have my certificate and CRL have too!
IKEv2 VPN connection work’s fine but if I revoke certificate on my CA nothing happens - IKEv2 VPN continues to connect.
CRL list update fine, and I see change number in Revoked column.
How CRL works? May be I forgot something?
Anyone?
Okay folks.
I think I find how that trouble will occur.
My MS CA have sha1 and CRL not working as well. But with MS CA with sha256 CRL will work like a charm.
Why? I do not know why.