Mikrotik not revoking certificate from CRL

Babujnik · October 30, 2020, 10:36pm

Hi,

I’ve noticed some issue with revoking certificates on Mikrotik with external CRL.
I’m using easy-rsa on linux box (192.168.0.151) to generate/sign/revoke certificates. some sort of small PKI
I’ve generated certificate, exported it as p12 and imported on mikrotik as shown below:

[noyes@midgard] /certificate> print detail
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
0 KL T name=“midgard” issuer=CN=Easy-RSA CA digest-algorithm=sha256 key-type=rsa common-name=“midgard” key-size=2048 subject-alt-name=DNS:midgard
days-valid=1080 trusted=yes key-usage=digital-signature,key-encipherment,tls-server serial-number=“D9D17FDF8F7EB1C67C2854EBAFAA4AC1”
fingerprint=“bdcadff977debbe2cd16a9205f65d818e062190c0686b9ee88c4926559fde9ca” akid=037b5d142c858e5ce791d2aa20530864cf9f8e76
skid=6c3514c6f3f58370da93d8f6e4ada9853cef23f9 invalid-before=oct/30/2020 22:53:42 invalid-after=oct/15/2023 22:53:42
expires-after=154w1d23h31m11s

1 T name=“CA” issuer=CN=Easy-RSA CA digest-algorithm=sha256 key-type=rsa common-name=“Easy-RSA CA” key-size=2048 subject-alt-name=“”
days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign serial-number=“37D39CF490CB2C4F48A98B6556B5E17907BAE12A”
fingerprint=“be6a29c2ab9c96f216d87706f98536204bd1854d3c37ffa60127058f27205d79” akid=037b5d142c858e5ce791d2aa20530864cf9f8e76
skid=037b5d142c858e5ce791d2aa20530864cf9f8e76 invalid-before=oct/30/2020 22:46:09 invalid-after=oct/28/2030 22:46:09

CRL is configured as below:

Flags: E - expired, D - dynamic, I - invalid

CERT LAST-UPDATE NUM REVOKED URL

0 D midgard oct/30/2020 23:05:39 1 http://192.168.0.151/crl.pem

as shown above, mikrotik got information from CRL that some certificate was revoked. ok, lets look on it from linux box:

index file shows cert with s/n “D9D17FDF8F7EB1C67C2854EBAFAA4AC1” is revoked:

root@hydra:~/pki# cat index.txt
R 231015215342Z 201030220332Z D9D17FDF8F7EB1C67C2854EBAFAA4AC1 unknown /CN=midgard

checking revocation list crl.pem:

root@hydra:~/pki# openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Easy-RSA CA
Last Update: Oct 30 22:05:03 2020 GMT
Next Update: Apr 28 22:05:03 2021 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:03:7B:5D:14:2C:85:8E:5C:E7:91:D2:AA:20:53:08:64:CF:9F:8E:76
DirName:/CN=Easy-RSA CA
serial:37:D3:9C:F4:90:CB:2C:4F:48:A9:8B:65:56:B5:E1:79:07:BA:E1:2A

Revoked Certificates:
Serial Number: D9D17FDF8F7EB1C67C2854EBAFAA4AC1
Revocation Date: Oct 30 22:03:32 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
92:84:40:e8:7c:b0:20:53:0c:f8:24:c4:65:b9:f2:85:9b:e7:
68:c5:d0:94:61:05:8a:8d:33:44:51:28:37:45:d6:8a:56:5b:
c2:a7:31:8e:8d:8c:dd:d5:fa:7b:64:c8:e5:51:ee:8b:0c:8d:
7f:86:0f:2f:01:c0:2a:66:f0:d3:65:2a:fa:7c:99:38:bf:38:
83:ca:17:d5:85:e1:e4:20:59:48:2c:f2:6e:14:e7:11:c2:f8:
b7:a8:55:03:fd:1f:05:ef:9e:bd:3c:8c:d1:8b:53:b4:21:4b:
25:2b:54:75:a1:2c:88:87:70:c9:10:fd:c2:c2:2e:7d:c2:5a:
56:d0:6c:f9:7e:4b:50:de:bd:6b:bc:4d:69:33:77:ff:76:49:
08:20:5a:bb:91:f0:74:c5:9c:04:a3:b8:99:43:c8:09:ef:44:
49:bb:1c:28:9c:15:0a:59:23:03:f5:cd:3e:a3:ac:ca:1a:67:
82:37:4f:7d:d9:62:6d:3f:c8:ad:9b:62:bf:2c:9c:0b:e8:27:
26:55:56:df:8a:f5:0d:ee:ac:a2:68:ef:49:0e:11:68:bd:37:
a5:80:41:ae:af:ef:38:ed:11:63:b4:23:6d:15:b8:cb:8f:bb:
4e:97:58:3c:03:f7:e5:a9:48:68:e0:53:3b:2d:65:b1:ea:2f:
25:87:71:0b

Any idea why from Mikrotik end, certificate is visible as valid ?

EDIT: RoS version: 6.47.7