x509 Certificate cannot import since 7.7

dibatech · April 25, 2023, 11:48am

Hi there.
Cannot import x509 certificates since 7.7.
Tested up to 7.9RC3

According to official Mikrotik v7.7 changelogs under certificate:

*) certificate - improved Let’s Encrypt logging and error recovery;
*) certificate - improved certificate management, signing and storing processes;

Nothing noted… Yet many forum entries…

CA crt can import successfully:

#openssl x509 -in ca.crt -text

Signature Algorithm: sha512WithRSAEncryption
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)

Client Certificate cannot import:

#openssl x509 -in client.crt -text

Signature Algorithm: sha256WithRSAEncryption
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)

SHA256 deprecated? If so, mind telling the peasants as well?

dibatech · April 26, 2023, 6:55am

Regenerated client certificate with sha512WithRSAEncryption, no passphrase
OpenSSL 1.1.1k FIPS 25
No joy. Still can’t import it.
Mikrotik support. You know about this?

matiss · April 26, 2023, 7:22am

Please send to support@mikrotik.com a certificate you are trying to import.

dibatech · May 1, 2023, 4:21pm

#[SUP-114596]: x509 certificate cannot import since v7.7 was logged 26-04-2023…

dibatech · November 16, 2023, 4:43pm

Its been a long time.

Was made aware by Mikrotik Support that we should not be making use of “-addtrust clientAuth” in OpenSSL while creating certs.
#SUP-114596

Thanks