Hello, I'm trying to configure an scenario with certificates and I've found a bug and a possible one.
[*]Trying to sign a certificate via SCEP only works on CLI. Winbox gets an error "Error in SCEP URL - double field expected"
[*]Trying to add Registration Authorities I get an error 'failure: not a HTTP URL' when I try to add a new RA. The error arises both in Winbox and CLI. I think it is a bug, but I'm not sure if I am missing something.
Detailed scenario
I'm configuring two routers, RCA (10.0.0.1/24) that will act as Certification Authority, and RRA (10.0.0.10/24) that will act as Registration Authority.
First I create and self-sing CA Certificate in RCA:
Code: Select all
[admin@RCA] /certificate> add name=certRCA organization="My Company" common-name="RCA" key-size=2048 days-valid=365 key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign subject-alt-name=IP:"10.0.0.1"
[admin@RCA] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
# NAME CO.. SUBJECT-ALT-NAME FI..
0 certRCA RCA IP:10.0.0.1
[admin@RCA] /certificate> sign certRCA ca-crl-host="10.0.0.1"
progress: done
[admin@RCA] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
# NAME CO.. SUBJECT-ALT-NAME FI..
0 K L A T certRCA RCA IP:10.0.0.1 29..
Code: Select all
[admin@RCA] /certificate> scep-server
[admin@RCA] /certificate scep-server> add ca-cert=certRCA path=/scep/server
[admin@RCA] /certificate scep-server> otp
[admin@RCA] /certificate scep-server otp> generate minutes-valid=20
password: 8c268eb0df948929981e
Then I create Certificate in RRA:
Code: Select all
[admin@RRA] > certificate
[admin@RRA] /certificate> add name=certRRA organization="My Company" common-name="RRA" key-size=2048 days-valid=365 key-usage=digital-signature,key-encipherment,data-encipherment subject-alt-name=IP:"10.0.0.10"
[admin@RRA] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
# NAME CO.. SUBJECT-ALT-NAME FI..
0 certRRA RRA IP:10.0.0.10
I can sign RRA using SCEP and OTP. First thing to note is that I can do this step only on CLI. Winbox gets an error "Error in SCEP URL - double field expected"
Code: Select all
[admin@RRA] /certificate> add-scep scep-url="http://10.0.0.1/scep/server" template=certRRA challenge-password=8c268eb0df948929981e
[admin@RRA] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
# NAME CO.. SUBJECT-ALT-NAME FI..
0 K T certRRA RRA IP:10.0.0.10 c1..
1 L A T cert... RCA IP:10.0.0.1 29..
Now I will try to activate RA and here is where it fails (or where I fail, I'm not sure). I get the same message in Winbox and CLI. First I will create another certificate:
Code: Select all
[admin@RRA] /certificate> add name=certRRA2 organization="My Company" common-name="RRA2" key-size=2048 days-valid=365 key-usage=digital-signature,key-encipherment,data-encipherment subject-alt-name=IP:"10.0.0.10"
Code: Select all
[admin@RRA] /certificate> scep-server ra
[admin@RRA] /certificate scep-server ra> add template=certRRA2 server-url="http://10.0.0.1/scep/server" name=n1
failure: Not a HTTP URL!
[admin@RRA] /certificate scep-server ra> add template=certRRA2 server-url="http://10.0.0.10/ra/server" name=n1
failure: Not a HTTP URL!
[admin@RRA] /certificate scep-server ra> add template=certRRA2 server-url="http://10.0.0.10/ra/server" name=n1 ra-path="/ra/server"
failure: Not a HTTP URL!
[admin@RRA] /certificate scep-server ra> add template=certRRA2 server-url="http://10.0.0.10/scep/server" name=n1 ra-path="/ra/server"
failure: Not a HTTP URL!
[admin@RRA] /certificate scep-server ra> add template=certRRA2 server-url="10.0.0.10/ra/server" name=n1
failure: Not a HTTP URL!
[admin@RRA] /certificate scep-server ra>
Thanks in advance