The following command is used to generate CA:
Code: Select all
openssl req -new -newkey rsa:2048 -config openssl_mikrotik-capsman_v1.cnf -keyout ca.key -out ca.crt -nodes -x509 -days 3650
On RouterOS version 6.27 and earlier all works OK.
Does anybody know what is wrong with my setup or is it something wrong in the RouterOS?
Here is openssl_mikrotik-capsman_v1.cnf file (without comments)
Code: Select all
RANDFILE = ./.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
certs = $dir
crl_dir = $dir
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/ca.crt
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/ca.key
RANDFILE = $dir/.rand
x509_extensions = basic_exts
crl_extensions = crl_ext
default_days = 3650
default_crl_days= 30
default_md = sha256
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = HR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = PGZ
localityName = Locality Name (eg, city)
localityName_default = Kastav
0.organizationName = Organization Name (eg, company)
0.organizationName_default = MyCompany d.o.o.
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = CAPsMAN Test
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = pki@mycompany.lan
[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always