I create CA and client certificates at Mikrotik router… I play with it and try different connections protocols etc…
Now, I like to delete them all and start over, but I can not delete them, only revoke them!!!
If I try to remove them, I got message: “Couldn’t remove Certificate - issued certificate can only be revoked (9)”
I’m not crazy, but I’m pretty shure that I can delete the certificates on a day when I create them, (I delete some on same day), but now I can not delete them anymore!!!
I had something similar, but after I went through and revoked all the client certificates and the server certificate, then removed the CA, my list of certificates was empty. I wasn’t watching each stage, so I’m not sure if it was removing the CA or removing the server cert that did the trick.
I can’t create a new certificate with the same name as a revoked certificate, unless I renamed the revoked certificate first. But either way, this will end up cluttering the certificate window with old certificates and making renewing certificates a much bigger headache than it has to be.
I would much more prefer it if the revoked certificates were stored somewhere else and didn’t have naming conflicts with valid certificates.
There goes my hope of making a simple API application to manage certificates on the router. Time to give all revoked certificates random names and otherwise make it all horrible to look at.
I have only found one way of removing an issued certificate… First off, you export the authority certificate that was used to sign it (with passphrase so you get the private key too). Next step is to delete the authority certificate, and finally all certificates signed using it (including the one you wish to remove) also disappear. Then, re-import your authority certificate, then reimport the key file, and you will have accomplished deleting an issued certificate and have your authority certificate back into the system.
If keeping all certificates that have ever been issued on the mikrotik is necessary, you’d have to export each one before deleting the authority certificate. Then re-import them after you’ve re-imported the authority certificate.
I am struggling to make an OpenVPN server on a MikroTik router, I won’t say anything about the hardware or software versions because it’s a new model and has plenty of those.
What I want to say is:
By any chance, in the future, can you make a drop down for “Usage” of a certificate? This drosepdown can have options like “OpenVPN” “IPsec” “etc1” “etc2”
when you select OpenVPN, a javascript should check (or auto-select) what are the key usage scenarios need for this certificate
because I made 3 sets of certificates (CA,server,client) and I did not connect as a OpenVPN client to this server due to certificate issues.
first set was made for 10 years, valid from 1970 to 1980
guys, if you don’t update time automatically when router is connected to the internet, at least throw a notice when creating certificate “morron! this certificate is valid from 1970 to 1980, are you sure you want to continue?”
second set was with a good date, after updating time in MkroTik router, but key-agreement was missing from the certificate key usage scenarios.
went to OpenVPN website and found a table explaining what certificate server needs to have an certificate client needs to have