I have a SSTP VPN with CA and Server certificates working in a Mikrotik
I need to transfer certificates to another hardware which will be a backup (So both sould work)
Have exported both certificates in the first mikrotik using password
Copied the files to the second mikrotik
Imported both CRTs files in second mikrotik
Renamed certificates in second mikrotik to match the names in the first mikrotik
At this point, CA Certificate has only the “AT” flags and Server Certificate has only the flag “T”
In the first Mikrotik, CA Certificate has “KAT” flags and Server Certificate has “KIT” flags
I need to sign again the certificates?
If I try to sign it, appears the following error: “Couldn’t start - At least one field specifying certificate name should be set!”
If I open each certificate in winbox gui, click the “Import” buton and select each key file, appears the “K” flag on both
Server certificate still without the “I” flag, wich I think is because is not issued yet in this Mikrotik
I need to do something else make it work?
Try exporting .backup and reimport it on similar hardware.
I do not remember if .backup export also certificates,
but is perfectly logical than a CA exist only one time…
I didn’t test it lately, but AFAIK there’s no good solution for this. Backup should have everything, so you should be able to restore it on another device (even if it’s not exactly supported) and get certificates including their relations (when they are issued by CA on RouterOS). But better test it, if you want to be 100% sure. But if you want to have live backup, where both devices are active (perhaps with some small config differences) and only synchronize certificates, I don’t think it can be done. You can export and import certificates and keys individually, but relations will be lost, so e.g. revoking certificate originally issued on another device won’t work. My current solution is to use external CA (XCA is nice tool).
The second Mikrotik is RB1100x4 the first Mikrotik is RB1100x4 Dude edition
I dont know why I had used export without trying backup
Just tried backup and worked, at least everything is like in first Mikrotik (I cant test the VPN yet)
remember to restore all etehrnet, bridge and tunnel MAC for do not have duplicated MAC!!!
how to: do an /export and see inside all the “cloned” MAC.
For ethernet/sfp/qsfp you can simply do:
/int eth reset-mac-address [find]
for wireless (not present on 1100) is more complicated,
but for all tunnels that needs MAC, must be manually changed,
and on bridges also the administrative-mac-addess must be aligned with the right MAC for the first ethernet (or the tunnel) interface