Migration of CA

mooks · August 28, 2020, 12:31pm

Hi Mikrotik-fellows.

Usually we use the following script for creating CA and server certificate for OpenVPN:

## generate a CA certificate
/certificate
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay [$waitSec]

## generate a server certificate
/certificate
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay [$waitSec]

However we would like to migrate to a newer Mikrotik device.
Therefore, we’ve exportet all certificates+key encrypted as p12-file and made a cleartext-backup of the mikrotik.

After importing CA and certificates we saw a strange problem.
The CA is still shown with the correct flags “KLAT”.
But the signed certificate changed from “KI” to “KT”. Also the information of the CA is missing.

We’ve tried several imports/exports for e.g exporting/importing cert and key separately.
Also we’ve used the same names for all certificates.

Is there any way to import the certificates and the CA correctly without loosing the reference between CA and certificate?
It would be really a ton of work to issue new certificates for all clients…

I’ve found some posts about that problem, none of them had a clear/working solution

BR

Sob · August 28, 2020, 6:58pm

AFAIK there’s no official way how to do this. I guess that restoring binary backup should work. That’s also not officially supported between different device types, but aside from messing up some things (like interfaces’ MAC addresses, but you can reset those) it worked when I tried it. If you’re starting with new blank device, it would be usable solution.

mooks · September 7, 2020, 9:30am

Thank you for your reply

That is really a pity
Migration of the complete keystore would be a great feature, especially for fast recovery.

Unfortunately, binary backup is not an option. I’m trying to migrate from rb2011 to rb 4011, after a restore of the binary backup on rb4011 it isn’t responding and I have to reset it.
I guess it’s not working because rb2011 is using MIPSBE and rb4011 ARM?

mrz · September 7, 2020, 11:07am

You cannot load backups between different type of devices, there may be unexpected results.
And even if backup loads, after loading config you will still need to decrypt private keys with passphrase. It is made that way for security reasons.

Sob · September 7, 2020, 6:12pm

So what’s the solution for OP’s problem?

a) Keep using the same device (or at least model) forever
b) Ditch old CA, create new one, together with all issued certificates, and replace them everywhere
c) ???

mkx · September 8, 2020, 5:08am

I’ll sound as a smart arse … but why on earth everybody wants to run just everything on a modest router? Running CA (for whatever reason) on a simple linux PC is much more trouble free … and CA doesn’t have to be online 24/7 if one doesn’t bother with certificate revocations so it can be done on a simple desktop.

Sob · September 8, 2020, 3:16pm

I personally don’t have CA on router, but the functionality is there, so I wouldn’t blame anyone for wanting to use it. And in case you have it only for OpenVPN server on same router, then why not keep everything together.

mkx · September 9, 2020, 12:14pm

I agree with you, it’s only natural for people to use whatever is available. I blame ROS devs (or rather their management) to include such functionality.

Back to topic: if one uses self-issued certificate for say OpenVPN connection, then I’d say it’s done on enthusiast level and I don’t see any reason (other than it being nuisance) not to create a new certificate (by a new CA) if needs arise. If change of CA is a big problem, then we’re back to me being smart arse.

mrz · September 9, 2020, 12:24pm

ROS also supports automatic certificate enrolment protocol (check SCEP) so for large amount of clients it can be used.

Sob · September 9, 2020, 10:54pm

I wish we could simply export whole config (including certificates, users, ssh keys, and I’m not sure if anything else is currently missing) using “export” command, and then be able to import it back and get exactly the same thing. If it was possible, then OP could easily move CA to another RB. And I could get nice readable backups.

mooks · September 14, 2020, 6:58am

Yes SCEP would be an option. However we have a lot of different customers, usually with 5-10 VPN-Clients.
For that small amount of clients a PKI+SCEP is overkill.

On the other hand changing all certificates of a customer takes some time.

It would be really great to make a real full backup which is hardware independent. A backup is crucial to recover a device ASAP no matter which mikrotik and that’s at the moment not possible.

Of course i could make a lokal PKI and upload every time the new certificates, but that would increase the steps for configuration even more.
Running the CA directly on the Mikrotik is perfect for small installations, except for the backup…

mooks · October 2, 2020, 9:37am

Well… even using the binary backup, certificates are messed up…

I’ve tried to migrate from RB2011UiAS-RM to RB3011UiAS-RM using binary and encrypted backup.

Everything worked fine, except… all the private keys are missing!
Manually import of the keys is of course not working…

Hence I only need the private key I’ve tried to delete the CA and import the CA again manually including the private key.
However that’s also not working, because if I delete the CA also all issued certificates are automatically deleted