Generate certificate for openVPN

Pilgrim · February 14, 2015, 12:59pm

Hi
I am trying to learn how to work with certificates in Mikrotik routerOS 6.6 and wanted to follow the guide in the wiki, but gets the following error.

[admin@QI_main] /certificate> /certificate
[admin@QI_main] /certificate> sign template=ca-template ca-crl-host=10.5.101.16 name=myCa
expected end of command (line 1 column 27)

It is apperently the “ca-crl-host” where the problem is. According the manual this is a read-only property, so I am confused why the guide in the wiki have this included in the command line.

Could you hlep explain what the problem is with this line - or has anyone found a good step-by.step guide that works.

Thanks in advance,

Pilgrim

Romon · February 18, 2015, 9:15am

Hi, i just can advise you to create certificates with easy-rsa packet on pc, and then import it into your router.
There are many manuals and howtos in network.

Pilgrim · February 23, 2015, 4:05pm

Thanks Romon, I tried following the video from Pascom and got close, but still no “cigar”.

https://www.youtube.com/watch?v=hbKmxu3Hk1A

I downloaded the version 2.2.2 from Github and tried to create - and sign the certificates (windows version) and some of the steps seems very unlogical e.g. first step is to edit the vars.bat and insert the variable like country etc. However, when running the script to create the certificates, server and client, I am again prompted for all the default values I just entered into vars.bat. The prompt have the default value in square brackets, so I figured that if I just hit enter it will keep the default value.

I imported the certificates and server key file to mikrotik and tried to connect. Which did not work. checking the client log I found this

feb 22 10:02:53: State changed to Connecting
feb 22 10:02:53: 1.5.3 (1300)
feb 22 10:02:53: Running on Microsoft Windows 7 Ultimate
feb 22 10:02:53: Bringing up interface…
feb 22 10:02:55: Checking reachability status of connection…
feb 22 10:02:55: Connection is reachable. Starting connection attempt.
feb 22 10:02:55: OpenVPN 2.3.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 2 2014
feb 22 10:02:55: library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.06
feb 22 10:02:56: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
feb 22 10:02:56: State changed to Disconnected

I checked the howto, but could not find the answer to above.

rgs

Romon · February 24, 2015, 5:23am

Hi Pilgrim, post more information about your configuration on mikrotik and on client.