How to Self-Sign SSL Certificate and Activate HTTPS

RouterOS General
1

Had to dig through a few forums to figure this out.

On MikroTik, create the certificate template and a request

/certificate add name=SSL common-name=SSL key-size=2048
/certificate create-certificate-request template=SSL key-passphrase=mypassword123

You’ll have to use “mypassword123” for the rest of the password prompts.

Copy these files from your MikroTik to a Linux server:

certificate-request.pem
certificate-request_key.pem

You can copy them through the web interface in the Files menu, Winbox, WinSCP (SSH), Tunnelier (SSH), Filezilla (FTP), etc.

On the Linux server navigate to the folder where the files are located via terminal

openssl rsa -in certificate-request_key.pem -text > certificate-request2.pem
openssl x509 -req -days 9999 -in certificate-request.pem -signkey certificate-request2.pem -out mikrotik_ssl.crt

You can probably do the openssl portion on Windows instead of Linux, but I haven’t tried. Go here for Windows binaries:
http://slproweb.com/products/Win32OpenSSL.html

Back on the MikroTik

/certificate import file-name=mikrotik_ssl.crt
/certificate import file-name=certificate-request2.pem

Now print the certificate info to see the name of the imported cert for the final step

[admin@MikroTik] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME                  COMMON-NAME               SUBJECT-ALT-NAME                                            FINGERPRINT
 0          SSL                   SSL
 1 K      T cert_2                SSL                                                                                   c214f22faa344c8750d8ba...

Finally, set the www-ssl service to use the certificate

/ip service set www-ssl certificate=cert_2

Enjoy!

2

Hello,
works great on RouterOS v6.18
Thank you

3

The directions by quicky2g didn't work on v6.42.6.
First, the certificate to be used by www-ssl service isn't named "cert_2" but rather "mikrotik_ssl_.crt_0".
I presume this is just a copy+paste error.
Second, whatever certificate file I select for www-ssl I get this error on Firefox 61.0.1 (64-bit) for Linux with OpenSSL "1.1.0h 27 Mar 2018".

Secure Connection Failed

An error occurred during a connection to 192.168.255.252. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Any hint?

[SOLVED]
I followed the relevant wiki page.

4

Is it possible to do passwordless login via certificates?

5

For SSH - yes.

Import your SSH public key in System - Users - SSH Keys.

Only RSA keys are supported it seems (my usual preference is for 25519).

I’ve also needed this in the past in my ~/.ssh/config - until 2-3 recent version updates, RouterOS only supported HMAC SHA1. Now (6.44, 6.45) it doesn’t appear to be necessary anymore.

Host 192.168.88.*
	MACs hmac-sha1
	IdentityFile ~/.ssh/id_rsa_mikrotik
6

Very good one. Thank you! :slight_smile:

7

I still wonder why ed25519 aren’t suported yet… even dropbear supports it!