Installing a SSL Certificate on a CSR326 (RouterOS)

crg11 · April 6, 2021, 2:27am

I’m a proud new owner of a CSR326-24G-2S+RM and have been configuring it over the past 24 hours.

One thing I’ve been trying to configure the web server to use a SSL Certificate using an actual (not self-signed) certificate purchased from a CA and I just can’t figure it out.

Managed to get a CSR generated, a cert procured by the CA, loaded (I think) into the switch, and applied to the web service as you can see below:

> /ip service print
Flags: X - disabled, I - invalid
 #   NAME      PORT ADDRESS                                       CERTIFICATE
 0 XI telnet      23
 1 XI ftp         21
 2   www         80
 3   ssh         22
 4   www-ssl    443                                               sw01_cert
 5 XI api       8728
 6   winbox    8291
 7 XI api-ssl   8729                                               none

But it isn’t working, HTTPS connections fail.
sslscan against my switch’s IP

% sslscan 10.0.0.x
Version: 2.0.9-static
OpenSSL 1.1.1k  25 Mar 2021

Connected to 10.0.0.x

Testing SSL server 10.0.0.x on port 443 using SNI name 10.0.0.x

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

  Heartbleed:

  Supported Server Cipher(s):
Certificate information cannot be retrieved.

curl fails as well.

curl -svo /dev/null https://10.0.0.x/
*   Trying 10.0.0.x...
* TCP_NODELAY set
* Connected to 10.0.0.x (10.0.0.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [205 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* Closing connection 0

None of the documentation is especially clear about how to do this step-by-step, so I think something is not right with how I loaded the procured cert onto the switch. Any tips? Or ideally, a quick step-by-step on how to use a load a proper certificate (not self-signed)?