I’m trying to setup an IPSec VPN server with MikroTik. The configuration is we have a root CA that we use to sign an intermediate CA we use for our VPN server. The intermediate CA then signs all server and user certs. We prefer to only install our root cert on our devices. The issue arises that MikroTik does not appear to be sending the chain of trust for the certificate but only the server cert itself. Is there any way around this? or can I file a feature request to get this added?
You need to import all certificate chain in RouterOS.
So I have concatenated the server_cert intermedaite_cert root_cert into one file and imported it into the Mikrotiks certs with imports as:
vpn_cert_0
vpn_cert_1
vpn_cert_2
and configure the ipsec peer to use vpn_cert_0 but the client complains about the certificate being untrusted (client is iOS). The client has the RootCA and it’s own certificate installed on it. I would assume the client should trust the server if the chain of authority was being presented. Unless the client doesn’t inherently trust it’s own certificate because it only has the Root and it’s own certificate is signed by the intermediate. Maybe the chain of trust also needs to be imported into the clients…