I configured an OpenVPN server and client between two Mikrotik devices.
I created CA, server1 and client1 certificates.
Require Client certificate works as intended (connection established && connected), however “Verify Server Certificate” doesn’t (TLS failed).
Client has CA certificate imported with LAT flags, and client1 certificate with KT.
Server has CA certificate created by itself with KLAT and server1 with KIT.
Does anyone know what “Verify Server Certificate” tries to check?
I’m surely missing some item in the checklist of this verification..
Can the client Mikrotik check the CRL as you have L flags on the certificates?
With certificates and keys generated using OpenSSL with no CRL, then importing CA certificate to server & clients Mikrotiks (has T flag) and importing server certificate to server Mikrotik (has KT flags) works, not using client certificates in this case. The client Mikrotik checks the CA for the server is present in its local certificate store.
I believe it does.. Any tip on how to check that?
I think I just exported CA without any passphrase, and after imported in the client that got LAT. Should it be different ?
I might have made a mistake in some step.. I guess the safe way to go is to try to generate new certs all over again.
By the way, all the certs were generated in Mikrotik RB3011 running v6.44rc4 and imported for hEXS v6.44.6 client.
AFAIK Mikrotik abuse the A flag somewhat - it only appears on CAs generated on a Mikrotik, not on those generated elsewhere and imported. If you generate a CA certificate on one Mikrotik, export it without key, then import onto another Mikrotik the flags are AT (without a CRL) or LAT (with a CRL).
I’ve skipped CRLs for small setups with self-signed certificates so I’m not sure how to check the CRL status or Make the Mikrotik not check.
Another thing to check is that the VPN client and server Mikrotiks have the correct time so they consider the certificates to be useable (must be between ‘invalid before’ and ‘invalid after’)
Ended up changing CA CRL Host from public domain name to local IP and it started working.
I thought this had to be the public but seems I was wrong.
I’m pretty new to certs, but does any client or server use common-name or subject alt name for anything ? Or is this just a random string?
I mean, if I use domain names for common-name or subject alt. name they won’t be used against auth to guarantee it’s the correct server being connected to, for example ?
If you provide a CRL host it should actually serve a CRL, otherwise there is no point specifying it. Also, from a number of forum posts a number of people have found that using the ‘server’ Mikrotik address or loopback IP for a CRL is fine until you replace that Mikrotik, when despite importing backup copies of certificates and keys they no longer work.
The Common Name (CN) depends on the context in which the certificate is going to be used - it can be some descriptive text, the name of a person, an email address, but typically a fully-qualified domain name of a client or server engaging in SSL/TLS communications.
The Subject Alternative Name (SAN) allows multiple alternate identifiers of specific types to also be included, often used to include DNS names for a web server hosting multiple domains for one organisation, or an IP address in self-signed certificates.
Whilst Mikrotik have not provided a check for OpenVPN client connections, with SSTP client connections there is a verify-server-address-from-certificate option which makes the client check the hostname or IP connected to matches one present in the host certificate.
Awesome!
Thanks a lot for the explanation, that was exactly what I was looking for.
It was also not clear for me if there could be some verification for OVPN. It is now.