RouterOS 6.44.2, router and server certificates signed with same (intermediate) CA. At TLS handshake router say “Unknown CA” and do not send cert.
I would expect that you need to import the signing chain into /certificate. This will allow to verify the signatures on the used certificates.
Yes, after importing all CA chain it works.
But now router say “server’s IP or DNS name does not match certificate (6)”. What field exactly does he check and how? The CN is spelled correctly and matches the hostname.
recently additional field was added:
–subject-alt-name=“DNS:,IP:” (snippet from easyrsa script)