Making Imported Certificate into a Certificate Authority

After fiddling with how to actually import a certificate for a while, I am now ready to use it. Or so I thought.
It turns out that MikroTik doesn’t consider my certificate an “authority”, even thought it has been used for that for a good number of years outside of MikroTik.

The http://wiki.mikrotik.com/wiki/Manual:Create_Certificates#Import_certificates article mentions how to import a certificate authority, but at the end of the step-by-step guide the certificate isn’t even an authority.

I was told by a co-worker that has been working with MikroTik longer than me, that he remembers it just being a checkbox somewhere. But that seems to no longer be the case, as there is nothing that can be done to a signed certificate apart from toggling trust and a few buttons that aren’t really helpful.

Anyone know how to do this?

Looking a little more around on the forum, and there really is no good search results for “Certificate Authority”.

Testing a little with my certificate and comparing it to a self-signed certificate on a MikroTik, I only see a difference between the two certificates on the “Key Usage” tab. More specifically the “Key Usage” flags for my imported certificate is blank.

If i remember correctly, it worked up to 6.14 ore something like that.
Then MT dropped the possibility of loading CAs as CA.
But they still work.
If you have a trusted CA imported as a simple certificate, it will still verify e.g. a remote SSTP certificate, it just will not show up as a CA.

True, it has been working for a long time now like this.
However now I actually want to use the certificate as a CA by issuing certificates with it on the router, but I can’t do that because it is not considered a CA in the eyes of RouterOS.

My current workaround has been to create a new self-signed certificate as CA and use that for all future certificate issuing, then leave the old imported CA along side it as backward compatibility until the day I can phase it out.

AFAIK you CAN generate a self signed CA, but you need ti generate it on the router itself.
Then it will show up as a CA.

Yeah that is what I mean.

I can however create a self-signed certificate on one router, export it, and import it into another router while still have it keep the CA status.

Mmh, this may not be a valid solution anyway.
It doesn’t appear to be possible to define more than one certificate for the OpenVPN server at a time. At least it will require a second ovpn-server.

Back to poking at the old certificate…

If anyone has any suggestions I’d love to hear them.

Ok, been doing some more research and testing of older RouterOS versions.

RouterOS was seemingly not able to make/issue certificates before around version 6.10.
The checkbox that was labeled “CA” seem to have just been “Trust” before it was renamed in version 6.3.

I have attempted to import my CA on multiple different RouterOS versions with the same result. On version 6.10 it at least was able to see “Digital Signature” as a key usage, whereas on 6.35 it shows as having a blank list of key usages (as seen in the picture I posted before).

I created a new CA using OpenSSL on a linux machine (following http://wiki.mikrotik.com/wiki/Manual:Create_Certificates#Generate_certificates_with_OpenSSL) and have had it act identical to my CA. So I figure I can rule out that it is my CA that is the problem.
I don’t know how RouterOS makes the certificates, but a MikroTik router is able to use CAs created on another MikroTik router just fine.

Ok, I seem to have found the issue.
The old third-party certificate program that I have been using for the past 6 years doesn’t actually check certificate KeyUsage bits.

So in short, my CA doesn’t have the KeyCertSign KeyUsage bit set!
MikroTik, is doing the correct thing in disallowing my certificate from being used as a CA.

The http://wiki.mikrotik.com/wiki/Manual:Create_Certificates#Generate_certificates_with_OpenSSL doesn’t actually do this either, which I believe may be the cause of this confusion. The guide doesn’t create the CA with the KeyCertSign KeyUsage bit set.

I guess that means I have to retire the old CA sooner than I thought. I have a few more ideas I want to test though.

Hello,

I meet with this same problem of flag “Authority” of imported CA certificates in ROuterOS.
So i write this post http://forum.mikrotik.com/t/correction-request-authority-flag-for-import-ca-certificate-autority-in-routeros/137960/1
To request a correction of implementation.

Thx @luca1234567 for your thread http://forum.mikrotik.com/t/correction-request-authority-flag-for-import-ca-certificate-autority-in-routeros/137960/1

I just added the KeyCertSign, CrlSign flags and the nsComment in my CAs certificat request,
and it works like a charm!

I mean my CAs is interpreted by RouterOs as a CA certificate.

In C#

var request = new CertificateRequest(
    issuer,
    rsa,
    HashAlgorithmName.SHA256,
    RSASignaturePadding.Pkcs1
);

request.CertificateExtensions.Add(
    new X509BasicConstraintsExtension(
       certificateAuthority: true,
       hasPathLengthConstraint: true,
       pathLengthConstraint: 0,
       critical: true
   )
);

// Adding the KeyCertSign and CrlSign flags
request.CertificateExtensions.Add(
    new X509KeyUsageExtension(
        X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
        critical: true
    )
);

// Adding the nsComment "Generated by RouterOS"
var nsCommentAsBytes = System.Text.Encoding.ASCII.GetBytes("Generated by RouterOS");
var nsCommentExtension = new X509Extension("2.16.840.1.113730.1.13", nsCommentAsBytes, false);
request.CertificateExtensions.Add(nsCommentExtension);

Thanks all for your time, you made my day!

Tried a while without success on ROS 7.8 until i found this: http://forum.mikrotik.com/t/own-ca-certificates-not-importing-in-routeros-7/165789/1
With ROS 7.12.1 everything is fine

Regards, DNAT