We assume that there is one main router with IPsec configured with a lot of another routers. Private key is generated localy.
If it will die and we buy another, how to restore this generated private key, so our tunnels continue to work with new device, and so not to rebuild configuration on all othe routers with new pub key.
Backup/restore doesn’t restores private certificate, and there is no key export option, or local file in winbox. I know that I can buy certificate from trusted CA or build it some where else. The question is: is there some “out of the box” solution to do the trick, not using other software/services, just native mikrotik?
I assume this is by design. This way if someone breaks into your router (s)he will not be able to obtain your private key, thus compromising your certificate (or public key alone). This behavior is not unique to Mikrotik, Cisco ASA, for instance, does not provide any means to obtain installed private keys either.
If you require to have a backup copy of your private key you absolutely need to generate the key elsewhere and then import it on your RouterOS device. OpenSSL tools can do that for you from command like, or you can google for XCA (X Certificate Authority- a GUI frontend to OpenSSL key and certificate management tools) if you prefer the GUI.