Hello, I have been still using RouterOS 6 on important routers. I am using my own root CA (imported on all computers and devices in organization) and some intermediary CAs without any issues in RouterOS 6. Now I tried to import my CA to RouterOS 7.8 (and some older RouterOS 7.7, 7.6, 7.5), but it is not importing - not saying anything, neither in log with debug enabled. Could somebody check, what’s wrong? Here is one of my CAs in the attachment - this one is used just for my students.
ca.crt.txt (1.52 KB)
Well, I have isolated the problem - RouterOS 7 is not accepting CA certificates with nameConstraints property, if this property is marked as critical.
See the attachments - critical file cannot be imported. Why? Is it a bug?
You can play with generation in a Linux machine:
openssl req -newkey rsa:2048 -keyout CA.key -utf8 -subj "/CN=test CA" -out CA.csr
# set password
echo -e "subjectKeyIdentifier=hash\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,digitalSignature,keyCertSign\nnameConstraints=critical,permitted;DNS:my.test" > CA.ext
openssl x509 -req -days 1461 -in CA.csr -extfile CA.ext -signkey CA.key -out CA.crt
# put password
rm CA.csr CA.ext
CA-nameConstraints.crt.txt (1.1 KB)
CA-nameConstraints-critical.crt.txt (1.1 KB)
This bug is fixed now in RouterOS 7.11 (https://mikrotik.com/download/changelogs/testing-release-tree#show-tab-tree_1-id-545b7f8898ab56dcd911fd5f6795bbd4).
Thanks man, you saved my day!
Regards, DNAT