SSL Certificate problem (missing private key)

RouterOS General
1

I’m trying to enable www-ssl, with a cacert signed certificate. I must be missing something.

My steps:

  1. /certificate create-certificate-request
    I fill all the details, specially common name and pass phrase. It generates 2 files, -private.pem and -request.pem
  2. I download the -request file, submit it to cacert, and obtain a signed certificate, which I upload by ftp
  3. /certificate import
    certificates-imported: 1
    files-imported: 1
/certificate print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
 0    name="cert1" subject=CN=mydomain.com issuer=O=Root CA,OU=http:,,www.cacert.org,CN=CA Cert Signing Authority,emailAddress=support@cacert.org 
      serial-number="0B9XXX" invalid-before=apr/10/2012 08:19:08 invalid-after=oct/07/2012 08:19:08 ca=yes

Notice there is not K, Q or R flags…

What am i doing wrong? Of course, I get ssl errors on every browser tested.. Here’s the output from openssl:

$ openssl s_client -connect mydomain.com:443
CONNECTED(00000003)
140019519768224:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1195:SSL alert number 40
140019519768224:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1334048750
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)




> /system resource print      
                   uptime: 1h4m16s
                  version: 5.14
              free-memory: 18816KiB
             total-memory: 29708KiB
                      cpu: MIPS 24Kc V7.4
                cpu-count: 1
            cpu-frequency: 680MHz
                 cpu-load: 3%
           free-hdd-space: 30980KiB
          total-hdd-space: 61440KiB
  write-sect-since-reboot: 1538
         write-sect-total: 3209
               bad-blocks: 0%
        architecture-name: mipsbe
               board-name: RB750G
                 platform: MikroTik

Thanks.

2

If you imported only the signed certificate from CA, import also the private key (private.pem). If it doesn’t work, it might have the wrong format, see the first note at http://wiki.mikrotik.com/wiki/Manual:Create_Certificates

3

I’m using CACert, which is free, but I could have used any commercial CA. The point is that I’m not using self-signed certificates, or custom CA.

The process I used is described here: http://wiki.mikrotik.com/wiki/SSL_Certificate_setup

/certificate create-certificate-request
Get the CA to sign the request, and upload the certificate.pem to the router
/certificate import file-name=certfile.pem

I assigned the certifiacate to the www-ssl services, but cannot connect with any browser. openssl s_client reports errors, as described in OP.

4

please check what is exactly happening here:
http://wiki.mikrotik.com/wiki/Manual:Create_Certificates

i know that that is for self generated certificates, but essentially only difference is that you do not have to generate CA key/certificate, because that is provided for you already.

And you have to decrypt it using the key for it to be used as certificate for www-ssl service.

5

Ok… i’ll try to generate the certificate from my computer, instead of using the router, which seems broken.

I’ll let you know.

Thanks!

6

I used this tutorial for generating the ssl cert: http://wiki.cacert.org/HELP/4

I faced the same problem.. The crt was imported but the key didn’t. Then I used the command mentioned in http://wiki.mikrotik.com/wiki/Manual:Create_Certificates

openssl rsa -in server.key -text > server2.key

It was then imported correctly.


Being curious, i tried the same command with the private-key.pem that the router’s create-certificate-request generates, and it actually worked.

I would consider it a bug, as the router is not importing the private key file it generates.

Julian.

7

Funny, isn’t it? :wink: But as the note says, it should be fixed in next version.

8

Which next version? :confused: