To avoid the “Certificate error” message, that appers when I block a website with a DNS Cloud Filter, I installed a Certification Authority on my PC, in the “Trusted Root Certification Authorities” store, and in this way I can see my personal blocked page instead of the certificate error.
Since I’ve to install it in different PCs of my network (I’ve not an Internal Active Directory Server so I can’t use GPO), I would like to know if it’s possible using Mikrotik since I’ve recently read that it’s possible to import a SSL Certificate into Mikrotik Security menu.
Can you also tell me what is the purpose of importing the certificate in Mikrotik?
Thanks a lot for your time and support and have a good day,
The whole certificate business is to confirm the authenticity of a user or device or web server to another user or device without them having to meet in person. So a certificate is directly or indirectly (via other certificates in a chain) signed by a root certification authority, and the recipient of a certificate can verify that fact if he has access to all the certificates in the chain. So operating systems like Windows or Android come with a pre-installed set of root certificates of different public certification authorities, and whoever presents a certificate signed by one of those authorities can use it to prove its identity (which is the subject of the certificate) without previously delivering any other information to the system.
To authenticate itself to someone else using a certificate, a device needs to have the private key of the certificate (and whoever has the private key to the certificate may impersonate the owner of the certificate).
So there should be two reasons to import a certificate: to use it to check the certificate owner’s authenticity, which is a case where the certificate itself (with its public key included) is sufficient and it may be only a certificate of the issuing certification authority, not of the end certificate owner itself, and to use it to prove your own identity, which is a case where you need the private key.
So when you want to use a certificate to prove the authenticity of your Mikrotik, and the certificate was generated somewhere else for it, you need to import it including the private key, so you have to export it including the private key where it was generated.
When you want to use a certificate to verify the identity of someone else, it is enough to import the certificate of the root certification authority if that someone else sends you all the certificates from its own one up to the topmost one you don’t have in your certificate store. So e.g. if there is a root CA which has signed the certificate of an intermediate CA, and the intermediate CA has signed the client’s certificate, there are two options to successfully verify client’s certificate:
the client sends its own certificate alone, but you have imported both the root CA’s and intermediate CA’s certificate before
you have imported only the root CA’s certificate, but the client sends its own certificate and the intermediate CA’s certificate
The purpose of importing an SSL cert into RouterOS is to secure the hotspot landing page. It won’t help you do anything else, if you want to do SSL MITM the root has to be installed on all end user devices regardless of what’s on the router.
Hi,
Meanwhile thanks a lot for your support I really appreciated it.
Practically, do you think it’s possible to use only the Mikrorik’s SSL certificate instead of install it in every PCs of my network?
I try to better explain my scenario:
I’m using a Cloud DNS Content Filter so when I try to open a blocked website, then the Filter returns its own Public IP instead of the website ones and, if the webiste use the https secure protocol, the Filter returns also a certificate. So normally the Browser shows a Certificate Error since it expects to receive a different certificate.
To avoid this issue and to directly show the Content Filter blocked page, I installed a Certification Authority, provided by the Content Filter DNS, on my PC and it’s working correctly.
Now I would like to import this certificate on every PCs of my network but I’ve not an Active Directory Server so it would need a lot of time.
Is it possible to use Mikrotik to obtain the same result?
P.S. sorry for my English I hope you’ll understand everything
No, it is not possible to install a root CA certificate on Mikrotik through which a PC is connected to internet to avoid installing that root CA certificate on each such PC individually. The remote server authenticity is verified by the browser on each PC, because otherwise anyone else between the server and the client could impersonate the server this way.
