Openssl CA certificate not recognized as CA

RouterOS General
1

I have problem with CA certificate generated by openssl not getting recognized by RouterOS (since version 6.28 and later) as CA.

The following command is used to generate CA:

openssl req -new -newkey rsa:2048 -config openssl_mikrotik-capsman_v1.cnf -keyout ca.key -out ca.crt -nodes -x509 -days 3650

I also tried to generate CA on RouterOS and it is recognized as CA cert. If I export that certificate and import it back it is not recognized as CA :frowning:

On RouterOS version 6.27 and earlier all works OK.

Does anybody know what is wrong with my setup or is it something wrong in the RouterOS?

Here is openssl_mikrotik-capsman_v1.cnf file (without comments)

RANDFILE		= ./.rnd

[ ca ]
default_ca	= CA_default

[ CA_default ]
dir		= .	
certs		= $dir
crl_dir		= $dir
database	= $dir/index.txt
new_certs_dir	= $dir

certificate	= $dir/ca.crt
serial		= $dir/serial
crl		= $dir/crl.pem
private_key	= $dir/ca.key
RANDFILE	= $dir/.rand

x509_extensions	= basic_exts

crl_extensions	= crl_ext

default_days	= 3650	
default_crl_days= 30
default_md	= sha256

policy		= policy_anything

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
name			= optional
emailAddress		= optional

[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
default_md		= sha256
distinguished_name	= req_distinguished_name 
x509_extensions		= v3_ca

[ req_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = HR
countryName_min                = 2
countryName_max                = 2

stateOrProvinceName	       = State or Province Name (full name)
stateOrProvinceName_default    = PGZ

localityName                   = Locality Name (eg, city)
localityName_default           = Kastav

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = MyCompany d.o.o.

organizationalUnitName         = Organizational Unit Name (eg, section)
organizationalUnitName_default = CAPsMAN Test

commonName                     = Common Name (eg, YOUR name)
commonName_max                 = 64

emailAddress                   = Email Address
emailAddress_max               = 40
emailAddress_default           = pki@mycompany.lan


[ basic_exts ]
basicConstraints	= CA:FALSE
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid,issuer:always

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
2

Hi,

A while after the question, but it can perhaps be of help to others.
You need to set nsComment=“Generated by RouterOS” on the CA certificate to get the “A” (authority) flag when importing it.

3

I think I tried that too but didn’t work. I also generated CA on the Routerboard itself, exported it, deleted CA, imported previous export and still didn’t show A flag :slight_smile: Gonna have to test on newer bugfix releases and will post results.

Cheers!

4

Yes, that is the solution of “problem” :wink:

OK, so config file needs to be altered, only [ v3_ca ] section is relevant here …

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
nsComment = "Generated by RouterOS"

Thanx man!

5

Why do you need A flag? Imported certificates work fine without it.

Only difference is that imported certificates cannot be used to issue new certificates .

6

Hello,

I meet with this same problem of flag “Authority” of imported CA certificates in ROuterOS.
So i write this post http://forum.mikrotik.com/t/correction-request-authority-flag-for-import-ca-certificate-autority-in-routeros/137960/1
To request a correction of implementation.

7

Not exactly.

CA certificates without ‘A’ flag cannot be used to check client certificates in open-vpn server (“require client certificate” option).

As result you must generate ALL the certificates to be used for vpn on mikrotik ONLY.

8

Unless something changed in latest versions, it’s not true, externally generated certificates worked fine.

9

thx, bro!!!
RouteOS 6.48.2 still working