Community discussions

MikroTik App
 
tvrebac
Trainer
Trainer
Topic Author
Posts: 8
Joined: Wed Feb 11, 2015 6:58 pm

Openssl CA certificate not recognized as CA

Mon Oct 12, 2015 12:23 am

I have problem with CA certificate generated by openssl not getting recognized by RouterOS (since version 6.28 and later) as CA.

The following command is used to generate CA:
openssl req -new -newkey rsa:2048 -config openssl_mikrotik-capsman_v1.cnf -keyout ca.key -out ca.crt -nodes -x509 -days 3650
I also tried to generate CA on RouterOS and it is recognized as CA cert. If I export that certificate and import it back it is not recognized as CA :-(

On RouterOS version 6.27 and earlier all works OK.

Does anybody know what is wrong with my setup or is it something wrong in the RouterOS?

Here is openssl_mikrotik-capsman_v1.cnf file (without comments)
RANDFILE		= ./.rnd

[ ca ]
default_ca	= CA_default

[ CA_default ]
dir		= .	
certs		= $dir
crl_dir		= $dir
database	= $dir/index.txt
new_certs_dir	= $dir

certificate	= $dir/ca.crt
serial		= $dir/serial
crl		= $dir/crl.pem
private_key	= $dir/ca.key
RANDFILE	= $dir/.rand

x509_extensions	= basic_exts

crl_extensions	= crl_ext

default_days	= 3650	
default_crl_days= 30
default_md	= sha256

policy		= policy_anything

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
name			= optional
emailAddress		= optional

[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
default_md		= sha256
distinguished_name	= req_distinguished_name 
x509_extensions		= v3_ca

[ req_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = HR
countryName_min                = 2
countryName_max                = 2

stateOrProvinceName	       = State or Province Name (full name)
stateOrProvinceName_default    = PGZ

localityName                   = Locality Name (eg, city)
localityName_default           = Kastav

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = MyCompany d.o.o.

organizationalUnitName         = Organizational Unit Name (eg, section)
organizationalUnitName_default = CAPsMAN Test

commonName                     = Common Name (eg, YOUR name)
commonName_max                 = 64

emailAddress                   = Email Address
emailAddress_max               = 40
emailAddress_default           = pki@mycompany.lan


[ basic_exts ]
basicConstraints	= CA:FALSE
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid,issuer:always

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

 
AOEUMagnus
just joined
Posts: 3
Joined: Tue Feb 22, 2011 3:48 pm

Re: Openssl CA certificate not recognized as CA

Tue Sep 13, 2016 10:42 am

Hi,

A while after the question, but it can perhaps be of help to others.
You need to set nsComment="Generated by RouterOS" on the CA certificate to get the "A" (authority) flag when importing it.
 
tvrebac
Trainer
Trainer
Topic Author
Posts: 8
Joined: Wed Feb 11, 2015 6:58 pm

Re: Openssl CA certificate not recognized as CA

Fri Jan 27, 2017 9:44 pm

I think I tried that too but didn't work. I also generated CA on the Routerboard itself, exported it, deleted CA, imported previous export and still didn't show A flag :-) Gonna have to test on newer bugfix releases and will post results.

Cheers!
 
tvrebac
Trainer
Trainer
Topic Author
Posts: 8
Joined: Wed Feb 11, 2015 6:58 pm

Re: Openssl CA certificate not recognized as CA

Sat Mar 11, 2017 2:49 am

Hi,

A while after the question, but it can perhaps be of help to others.
You need to set nsComment="Generated by RouterOS" on the CA certificate to get the "A" (authority) flag when importing it.
Yes, that is the solution of "problem" ;-)

OK, so config file needs to be altered, only [ v3_ca ] section is relevant here ...

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
nsComment = "Generated by RouterOS"

Thanx man!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6001
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Openssl CA certificate not recognized as CA

Wed Mar 15, 2017 9:01 am

Why do you need A flag? Imported certificates work fine without it.

Only difference is that imported certificates cannot be used to issue new certificates .
 
luca1234567
just joined
Posts: 18
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: Openssl CA certificate not recognized as CA

Thu Mar 26, 2020 2:23 pm

Hello,

I meet with this same problem of flag "Authority" of imported CA certificates in ROuterOS.
So i write this post viewtopic.php?f=2&t=159183
To request a correction of implementation.
Best regards.

Who is online

Users browsing this forum: anav, Bing [Bot], forand, jamrobe, Kazek and 73 guests