how to import SSL certificate and private key

rpr · July 7, 2015, 4:00pm

Hi!

On a web server serving https://www.example.com (just an example) I have generated a private key and got corresponding SSL certificate from a CA. The certificate is a wildcard certificate valid for *.example.com.

Is it possible to import such SSL certificate and the private key to RouterOS 6.29 to be used for its www-ssl service with FQDN gw.example.com (just an example)?

If anyone has done it, please describe the procedure.

– rpr.

mgajjar · July 8, 2015, 5:29am

Undoubtedly you can secure multiple sub-domains under common CSR (Certificate Signing Request) & Private key using the wildcard SSL Certificate.

The common CSR & private key will work single server only. If you are securing your domain on multiple servers you need to create new CSR & private for each single server.

Make sure the sub-domain should be first-level.If your domain is (www.example.com), you can secure any number of (*.example.com) sub-domains, but not (..example.com) domains.

rpr · July 8, 2015, 9:21am

My experience is that you can secure multiple servers with a single certificate:

On the first server:

generate private key
generate CSR with the private key (for Common Name you set *.example.com)
send the CSR to a CA for signing (after that you don’t need the CSR any more)
CA sends you the certificate file

Now, you can install this certificate on that web server (http://www.example.com).

But, you can also copy the private key and the certificate files to another web server (www2.example.com) provided that you change its configuration options accordingly.

In that way I was able to copy the certificate from Apache 2.2 on a Linux server to a Apache Tomcat 6 on a Windows server and it is working fine.

No, I’d like to do use the same certificate on the RouterOS 6.29 (gw.example.com).

– rpr.

rpr · July 10, 2015, 5:44pm

I’ve found a solution to this – here are the steps (on RouterOS 6.29):

In Files remove old files used to install a previous certificate (certificate-request_key.pem and *.cer).

Prepare the files for new certificate(s):
gw.example.com.cer – the wildcard certificate issued by your CA (e.g. GeoTrust) for *.example.com domain you want to use on the router.
certificate-request_key.pem – the private key of the certificate.
GeoTrust_SSL_CA-G3.pem – intermediate certificate of your CA (GeoTrust SSL CA - G3 in this example) needed for validating the wildcard certificate.

Upload the files to the router root directory with Files → Upload.

Import the certificate(s) from the files with the following command:

> /certificate import
passphrase: ********
     certificates-imported: 2
     private-keys-imported: 1
            files-imported: 3
       decryption-failures: 0
  keys-with-no-certificate: 0

Run the following command and note the names of the imported certificates:

/certificate print detail

The intermediate certificate may be named as ca_8 and the certificate you will actually use for SSL may be named as cert_9.

Through web interface select the new certificate:
IP → Services → www-ssl → Certificate: cert_9 → OK

Make sure the new certificate is used on the web-interface (you may need to restart the web browser).

Hope this helps.
– rpr.