MikroTik will first need to update /certificate/enable-ssl-certificate to support the DNS-01 challenge. I guess they can leverage mynetname.net and implement something similar to what challenges.addr.tools does:
-
MikroTik would add a submenu (table) to Certificates, which allows user to populate entries like this:
/certificates acme-dns01 add dns-name=blabla.example.com secret=some_random_string name=my_cert wildcard=yesThis might accept optional parameters like
directory-url=. -
Once the entry is created, RouterOS shows the generated subdomain
very_long_bunch_of_hex.acme.mynetname.net, similar to whatchallenges.addr.toolsgenerates from the secret (they just hash the secret with SHA224 but MikroTik can do whatever they want to generatevery_long_bunch_of_hexfrom the chosen secret string, like adding the router's identity before hashing for example). -
User updates their DNS to create CNAME records pointing
_acme-challenge.blabla.example.comtovery_long_bunch_of_hex.acme.mynetname.net.
The above setup steps must only be performed once per domains.
-
Once the entries are created, the actual certificates can be requested/renewed with:
/certificates request-acme-dns01-certificate name=my_cert -
During the challenge, the router will automatically contact MikroTik's server to update the TXT record of
very_long_bunch_of_hex.acme.mynetname.net(similar to what is done withchallenges.addr.tools) with the correct content. The record only needs to be temporarily present. -
Once challenge is complete, new certificate is installed/updated with the name
my_certunder/certificates.
Automatic renewal is just doing /certificates request-acme-dns01-certificate name=xxx for the entries under /certificates acme-dns01 when the expiration of the previously issued certificate approaches.