OpenVPN move to another Board

RouterOS General
1

Hello,
i have a RB941-2nD and I have just purchased RBD52G-5HacD2HnD-TC.

my configuration is simple but i have set ovpn server.

can i move certificates from “old” mikrotik to new?
i searched and i found something but is still not working…

i try to do this
on old mikrotik
/certificate export-certificate CA export-passphrase=“12345678”
/certificate export-certificate client1 export-passphrase=“12345678”
/certificate export-certificate server export-passphrase=“12345678”
/certificate export-certificate client export-passphrase=“12345678”
then download on my pc

on new mikrotik
/certificate import file-name=CA.crt passphrase=12345678
/certificate import file-name=CA.key passphrase=12345678
/certificate import file-name=server.crt passphrase=12345678
/certificate import file-name=server.key passphrase=12345678
/certificate import file-name=client.crt passphrase=12345678
/certificate import file-name=client.key passphrase=12345678
/certificate import file-name=client1.crt passphrase=12345678
/certificate import file-name=client1.key passphrase=12345678

with command
/certificate print
i noticed that CA certificate is KLAT (like on hold mikrotik, so i suppose is fine)
but server - client - client1 is only K or KT (on old mikrotik is KI)
so I thought I had to sign those certificates.
but when i try to execute
/certificate sign server ca=“CA” name=“server”
i receive this error
failure: name must be unique!

I think only missing this signature and then it would work…

how can i make the command work?

thank you
Alessandro

2

Hi

Normally one only import private key on target/server device. The public part can be distributed to the users of that server.

If Tik is CA, only import private key.
for opvn server: only import private key
for opvn client: only import private client key

3

thank you for reply @sebastia

but if i try to import only key (without crt)
[admin@MikroTik] > /certificate import file-name=server.key passphrase=12345678
certificates-imported: 0
private-keys-imported: 0
files-imported: 0
decryption-failures: 0
keys-with-no-certificate: 0

doesn’t import anything…
same result with CA client and client1…

thank you

4

i see when i import a CA.crt creates automatically a CRL
http://127.0.0.1/crl/1.crl
would be that?

thank you

5

Sorry, i 'm a idiot…

works fine, it was enough to restart the mikrotik…

so, recap to move openvpn from old mikrotik to new mikrotik

on old mikrotik
/certificate export-certificate CA export-passphrase=“12345678”
/certificate export-certificate client1 export-passphrase=“12345678”
/certificate export-certificate server export-passphrase=“12345678”
/certificate export-certificate client export-passphrase=“12345678”

on new mikrotik
/certificate import file-name=CA.crt passphrase=“12345678”
/certificate import file-name=CA.key passphrase=“12345678”
/certificate import file-name=server.crt passphrase=“12345678”
/certificate import file-name=server.key passphrase=“12345678”
/certificate import file-name=client.crt passphrase=“12345678”
/certificate import file-name=client.key passphrase=“12345678”
/certificate import file-name=client1.crt passphrase=“12345678”
/certificate import file-name=client1.key passphrase=“12345678”

reconfig same parameters ovpn server (firewall,dhcp,etc…)
reboot new mikrotik and test…

thank you

6

Mmh… not working.

I create CA, server@OVPN2 and client@OVPN2 certificates.

print detail
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
0 KL A T name=“CA” digest-algorithm=sha256 key-type=rsa country=“IT” state=“MYSTATE” locality=“MYCITY” organization=“MyOrg” common-name=“CA” key-size=2048 subject-alt-name=“” days-valid=3650
trusted=yes key-usage=key-cert-sign,crl-sign ca-crl-host=“127.0.0.1” serial-number=“41C63A32BCD22298”

1 K I name=“server@OVPN2” digest-algorithm=sha256 key-type=rsa country=“IT” state=“MYSTATE” locality=“MYCITY” organization=“MyOrg” common-name=“server@OVPN2” key-size=2048
subject-alt-name=“” days-valid=3650 trusted=no key-usage=digital-signature,key-encipherment,tls-server ca=CA serial-number=“69AC34FB0776BF43”


2 name=“client-template” key-type=rsa country=“IT” state=“MYSTATE” locality=“MYCITY” organization=“MyOrg” common-name=“client” key-size=2048 subject-alt-name=“” days-valid=3650
key-usage=tls-client fingerprint=“e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855”

3 K I name=“client1@OVPN2” digest-algorithm=sha256 key-type=rsa country=“IT” state=“MYSTATE” locality=“MYCITY” organization=“MyOrg” common-name=“client1@OVPN2” key-size=2048
subject-alt-name=“” days-valid=3650 trusted=no key-usage=tls-client ca=CA serial-number=“574896945756EFD8”

I export certificates:
export-certificate “CA” export-passphrase=“12345678”
export-certificate “server@OVPN2” export-passphrase=“12345678”
export-certificate “client1@OVPN2” export-passphrase=“mypassphrase”


I load CA.crt, client1@OVPN2.crt, client1@OVPN2.key on my VPN client and it works correctly.

Now I move into different hardware:

import file-name=cert_export_CA.crt name=CA passphrase="12345678"
import file-name=cert_export_CA.key name=CA passphrase="12345678"
import file-name=cert_export_server@OVPN2.crt name=server@OVPN2 passphrase="12345678"
import file-name=cert_export_server@OVPN2.key name=server@OVPN2 passphrase="12345678"
import file-name=cert_export_client1@OVPN2.crt name=server@OVPN2 passphrase="mypassphrase"
import file-name=cert_export_client1@OVPN2.key name=server@OVPN2 passphrase="mypassphrase"



print detail
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
0 KL A T name=“CA” issuer=C=IT,ST=MYSTATE,L=MYCITY,O=MyOrg,CN=CA digest-algorithm=sha256 key-type=rsa country=“IT” state=“MYSTATE” locality=“MYCITY” organization=“MyOrg” common-name=“CA” key-size=2048
subject-alt-name=“” days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign serial-number=“41C63A32BCD22298”

1 K T name=“server@OVPN2” issuer=C=IT,ST=MYSTATE,L=MYCITY,O=MyOrg,CN=CA digest-algorithm=sha256 key-type=rsa country=“IT” state=“MYSTATE” locality=“MYCITY” organization=“MyOrg” common-name=“server@OVPN2”
key-size=2048 subject-alt-name=“” days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,tls-server serial-number=“69AC34FB0776BF43”


2 K T name=“client1@OVPN2” issuer=C=IT,ST=MYSTATE,L=MYCITY,O=MyOrg,CN=CA digest-algorithm=sha256 key-type=rsa country=“IT” state=“MYSTATE” locality=“MYCITY” organization=“MyOrg” common-name=“client1@OVPN2”
key-size=2048 subject-alt-name=“” days-valid=3650 trusted=yes key-usage=tls-client serial-number=“574896945756EFD8”

Now I can see “CA” column for client1 and server certificates is blank (on original server it was reported CA).
I can’t connect, it says “TLS failed”.


What’s wrong?
Thanks.

7

No solutions?
The only way I have to make client working again is to de-select “Require Client Certificate” on new server…