VPN Server: Migrate certificates to new hardware

lozio84 · January 11, 2021, 9:43pm

Good evening everyone!
I have a working OVPN server built on an RB 2011, now I would like to upgrade the hardware by installing an RB1036. Of course I would like to copy the certificates generated by the old platform to avoid having to reconfigure all clients. I tried exporting the CA.crt, server.crt files and client certificates. I imported them to the new server but there is something wrong because it doesn’t work.

What is the correct procedure for exporting all certificates of the VPN SERVER and making them work on another machine?

I created the files on the old server using the following example:

/certificate add name=CA country="IT" state="IT"
common-name="CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign CA ca-crl-host=127.0.0.1 name="CA"

/certificate add name=server country="IT" state="IT"
common-name="server" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign server ca="CA" name="server"

/certificate add name=client country="IT" state="IT"
common-name="client" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign client ca="CA" name="client"

Thanks

tdw · January 11, 2021, 10:02pm

You certainly have to export the certificates as a bundle in PKCS12 format so the private keys are exported too, see export-certificate in https://wiki.mikrotik.com/wiki/Manual:System/Certificates#General_Menu

I recall there have been some reports that if a CRL has been specified (as in your example) it just doesn’t work.

Sob · January 12, 2021, 1:06am

AFAIK certificates are transferrable, but the relation between RouterOS CA and issued certificates is not. So for example if you’d want to revoke some, you can’t. Binary backup should contain everything, but it’s not meant for different device models. I think it’s bad, but so far it doesn’t seem to be a problem for MikroTik.

lozio84 · January 12, 2021, 3:02pm

Thanks for the reply!
So if i set up a new server from 0 and create the certificates without CRL i could then export them and reload them in a new machine in case of hardware problems?

Sob · January 12, 2021, 4:52pm

I’m not sure about details, so it’s probably best to test it yourself. In case you don’t have free spare device, you can use CHR (RouterOS VM; free version is enough).

lozio84 · January 13, 2021, 8:57pm

In your opinion .. is it better, a physical machine like an rb1036 or a virtual machine( with CHR and with adequate resources), to manage a server to route VPN?
it will have to manage about 150 VPNs between sstp and ovpn

because thinking about it .. using the virtual machine I would not have the problem of certificates if the machine died and I had to recreate it from a backup.

Sob · January 13, 2021, 9:26pm

That’s not question for me, you need someone who has experience with performance of different devices. I just mentioned CHR as a simple way how to test transfers of certificates between different devices.

Also, unless you need to generate certificates directly on router for any reason, you can always do it externally (using for example XCA or some other tool), and this particular problem will go away.

lozio84 · January 17, 2021, 1:21pm

Thank you very much for your reply
I will try with a program for generating certificates and I will also test the portability on multiple platforms of the certificates generated by mikrotik then I will let you know

Sob · January 17, 2021, 8:41pm

Certificates generated by RouterOS are like any other certificates, i.e. they are fine. Only transferring whole RouterOS CA between devices is… let’s say unfinished.