Importing a pem certificat

When a pem certificate is imported that holds the ca, crt and the private key (client.pem). The key is not handled/recognised.

When the pem without the key (client_wokey.pem) is imported and after that the private key (client.key). This is handled without a problem.

It would be great if the client.pem would be handled without this problem.
The pass phrase is “test”. As it’s just a test certificate.
certs.tar.gz (5.57 KB)

The following workaround usually works for me. Just try importing the same combined (cert+key) .pem file twice. It’ll import certificate on the first first try and then the key on the second try.

RouterOS can not store just keys, it stores certificates and adds the key when available. This is what happens if you import client.pem:

1. Private key → no matching certificate → ignored
2. Certificate → imported
3. Certificate → imported

Then on second import:

1. Private key → matching certificate found → imported
2. Certificate → already available → ignored
3. Certificate → already available → ignored

But this is easy to fix: The PEM file has to contain the certificate and key blocks in correct order, certificates first, keys last. Then import works in one go:

1. Certificate → imported
2. Certificate → imported
3. Private key → matching certificate found → imported

Make sure the file looks something like this:

-----BEGIN CERTIFICATE-----
MIIFIjCCA...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFfTC...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,1B58971ECA6D3DD4

Qv2MUB2odq...
-----END RSA PRIVATE KEY-----