All - I’ve been reading threads and Wiki’s for the past 2 days and just cannot find how to install a legitimate SSL certificate onto a RB750GL router. I believe it has to do with the creating/installation of the KEY file. I’m currently running v6.19 - it has been a stable load for me but I’m willing to upgrade if necessary. The network solution I’m deploying is using the RB750 as a Hotspot server for unauthorized wireless clients (on a specific VLAN) which are redirected to an external portal page for credentials and authentication. I have it working great for users with regular HTTP default browser page, but I want to enable HTTPS on the Hotspot service so that it will also accept and redirect clients that have HTTPS as a default browser homepage. I’m well aware of the issue of redirecting a user expecting a signed HTTPS certificate say from Google to a different, but fully verified Hotspot server (I expect the client to see the SSL Warning page - but they can then proceed to the different site which is the Mikrotik Hotspot page).
I ordered a certificate from Comodo, and when I couldn’t get that to work correctly I ordered another certificate from RapidSSL, but got the same results. What I feel may be the problem is that after I do the CSR creation via > /certificate create-certificate-request template=MKtemplate key-passphrase=passphrase123 I created the MKtemplate with all the proper options populated including the common-name being set to a real subdomain name that my company owns. Now when I do this I get the CSR = certificate-request.pem it also creates a key file named certificate-request_key.pem
The Certificate Authorities do not request my key file. The CSR I created is validated by them and they issue me my real SSL certificates. I upload them to the RB750 and then IMPORT them via the /Certificates menu, but the actual SSL certificate (not intermediates) imports with the LT flag, but I believe it needs to be KLT - is this correct??? When I try to import the key file either as its original format as certificate-request_key.pem, it doesn’t apply. If I change it to a new file as “SSLkey.key” file, that doesn’t import either. Or am I wrong and I don’t need to import the key file? I just have not been able to correctly key word the search engine to find the answer here on the forums…LOTS of if I create my own certificate via a Linux machine using openssl tools…but I’m not creating my own - I’m trying to install a legit CA one.
If I try the Hotspot with these certificates from Comodo or RapidSSL, and enable HTTPS on the Hotspot server and enable www-ssl under /IP/Services, I get invalid SSL message from clients even on a HTTP homepage. Firefox browsers give me the SSLv3 vulnerability error message and I can’t even continue further.
Need to fix this today. Sorry if the answer is right under my nose. Thanks for the guidance to fix this in advance!
Have you tried giving the CA just the “_key.pem” file instead of just the non “_key.pem” file? Does it error or what?
Also, doesn’t the CA’s site have their own form for making certificate requests that would then be signed? If they do, I’d suggest you use that, instead of creating your own CSR.
Or maybe make the CSR with OpenSSL instead… Basically, do those same procedures, minus the signing part, which you’d leave to the CA.
Thanks boen-robot for the inputs. All the CA providers I’ve been to require you to input the actual CSR of the server you need the certificate for - they do not have any tools to create a CSR for my device that I saw. I am pretty certain the _key.pem file if used as the CSR would fail (you can verify this on the sslchecker web tools).
this created 2 files that are important
certificate-request_key.pem
certificate-request.pem
FTP the copy of certificate-request.pem to your local machine. Open and this is what you will provide RapidSSL. Once you complete the autorization steps and receive the certificate file, upload it to your router.
I have the same problem,
I have purchased COMODO SSL, Installation has beet complete, Now I have KLT flag
but when user try to open any https://anyDomain.com through Hotspot, that face the red message…
Resurrecting this SSL certificate thread due to needing to renew my (real) SSL certificate for my Mikrotiks. It has been a year with success using a RapidSSL cert, but now have created a new one with 3-year duration and used a PositiveSSL from Comodo. This cert package includes four certificates: the main certificate, a Root cert and two Intermediate certs. You can essentially follow mfarris’ steps below to install them, but with one modification/correction to get the primary certificate to be key verified (the “K” label will show on the initial “LT” status label): I had to also include my password when I imported my …key.pem file:
Hello,
for me the final solution with my comodo certificate was to add the address of the comodo certificate server in the wall garden:
allow *.comodoca.com
hope this will help
Best regards
