how to backup router configuration including SSL certificates

rpr · November 12, 2015, 2:42pm

Hi!

We use a RB750GL with RouterOS 6.30 in production and also got another spare RB750GL (upgraded to RouterOS 6.33) for the case of hardware malfunction of the first one. We would like to copy the configuration from the production router to the spare one so that the production router can be quickly replaced with the spare one.

The production router is accessible only via HTTPS and has some SSL certificates installed.

I created a system backup on the production router and restored the backup on the spare router but after that I cannot access it: web browser reports that there is a problem in establishing HTTPS connection with the router.

I have a feeling that the system backup created on the production router does not include the SSL certificates and without the certificates a HTTPS connection cannot be established.

Does anyone know if the SSL certificates are included in a system backup or they have to be copied separately from one router to another one? On http://wiki.mikrotik.com/wiki/Manual:Configuration_Management I can’t find anything regarding this question.

– rpr.

pukkita · November 12, 2015, 2:54pm

Backups are valid only for a given router with a given RouterOS version.

You should do a configuration export from the CLI for a ROS version/router model “neutral” configuration backup.

Not sure about certs, open a Terminal and issue

/export file=RouterBackup

Transfer the RouterBackup.rsc file to your desktop and examine it (it’s a plain text file). Does it have the certs? If not you’ll have to backup them specifically.

stmx38 · November 14, 2015, 10:28am

rpr,
Backup and Restore Certificates
Backup Mikrotik config to Subversion/SVN repository via SSH

rpr · November 17, 2015, 4:07pm

After some testing I can conclude that certificates don’t work even when you restore the system backup to the router with the same hardware and RouterOS version, which is an old issue that should be fixed, IMHO.

After the restore you have to import the SSL certificate again. Usually you have to upload and import 3 files: private key, the SSL certificate signed by the CA intermediate certificate, and the CA intermediate certificate:

/certificate import
passphrase:
     certificates-imported: 2
     private-keys-imported: 1
            files-imported: 3
       decryption-failures: 0
  keys-with-no-certificate: 0

Then you can configure the www-ssl service to use the certificate.

The configuration export is useless in this regard as it contains neither certificates nor user configuration of the router.

– rpr.

dynek · September 2, 2019, 2:37pm

Undigging an old thread.

I restored a configuration on one of my HAP AC^2 device and the locally generated cert and its CA, that were both valid until 2028, are now expired since 2011.

Why is that?