Community discussions

MikroTik App
 
User avatar
Deantwo
Member
Member
Topic Author
Posts: 313
Joined: Tue Sep 30, 2014 4:07 pm

Making Imported Certificate into a Certificate Authority

Wed Aug 10, 2016 5:03 pm

After fiddling with how to actually import a certificate for a while, I am now ready to use it. Or so I thought.
It turns out that MikroTik doesn't consider my certificate an "authority", even thought it has been used for that for a good number of years outside of MikroTik.

The http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates article mentions how to import a certificate authority, but at the end of the step-by-step guide the certificate isn't even an authority.

I was told by a co-worker that has been working with MikroTik longer than me, that he remembers it just being a checkbox somewhere. But that seems to no longer be the case, as there is nothing that can be done to a signed certificate apart from toggling trust and a few buttons that aren't really helpful.

Anyone know how to do this?
Last edited by Deantwo on Fri Aug 19, 2016 3:04 pm, edited 1 time in total.
I wish my FTP was FTL.
 
User avatar
Deantwo
Member
Member
Topic Author
Posts: 313
Joined: Tue Sep 30, 2014 4:07 pm

Re: Making Imported Certificate into a Certificate Authority

Thu Aug 11, 2016 5:02 pm

Looking a little more around on the forum, and there really is no good search results for "Certificate Authority".

Testing a little with my certificate and comparing it to a self-signed certificate on a MikroTik, I only see a difference between the two certificates on the "Key Usage" tab. More specifically the "Key Usage" flags for my imported certificate is blank.
Imported Certificate CA.PNG
You do not have the required permissions to view the files attached to this post.
I wish my FTP was FTL.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Making Imported Certificate into a Certificate Authority

Thu Aug 18, 2016 12:22 pm

If i remember correctly, it worked up to 6.14 ore something like that.
Then MT dropped the possibility of loading CAs as CA.
But they still work.
If you have a trusted CA imported as a simple certificate, it will still verify e.g. a remote SSTP certificate, it just will not show up as a CA.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
Deantwo
Member
Member
Topic Author
Posts: 313
Joined: Tue Sep 30, 2014 4:07 pm

Re: Making Imported Certificate into a Certificate Authority

Thu Aug 18, 2016 12:28 pm

But they still work.
If you have a trusted CA imported as a simple certificate, it will still verify e.g. a remote SSTP certificate, it just will not show up as a CA.
True, it has been working for a long time now like this.
However now I actually want to use the certificate as a CA by issuing certificates with it on the router, but I can't do that because it is not considered a CA in the eyes of RouterOS.

My current workaround has been to create a new self-signed certificate as CA and use that for all future certificate issuing, then leave the old imported CA along side it as backward compatibility until the day I can phase it out.
I wish my FTP was FTL.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Making Imported Certificate into a Certificate Authority

Thu Aug 18, 2016 2:07 pm

AFAIK you CAN generate a self signed CA, but you need ti generate it on the router itself.
Then it will show up as a CA.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
Deantwo
Member
Member
Topic Author
Posts: 313
Joined: Tue Sep 30, 2014 4:07 pm

Re: Making Imported Certificate into a Certificate Authority

Thu Aug 18, 2016 2:10 pm

AFAIK you CAN generate a self signed CA, but you need to generate it on the router itself.
Then it will show up as a CA.
Yeah that is what I mean.

I can however create a self-signed certificate on one router, export it, and import it into another router while still have it keep the CA status.
I wish my FTP was FTL.
 
User avatar
Deantwo
Member
Member
Topic Author
Posts: 313
Joined: Tue Sep 30, 2014 4:07 pm

Re: Making Imported Certificate into a Certificate Authority

Fri Aug 19, 2016 1:17 pm

My current workaround has been to create a new self-signed certificate as CA and use that for all future certificate issuing, then leave the old imported CA along side it as backward compatibility until the day I can phase it out.
Mmh, this may not be a valid solution anyway.
It doesn't appear to be possible to define more than one certificate for the OpenVPN server at a time. At least it will require a second ovpn-server.

Back to poking at the old certificate...

If anyone has any suggestions I'd love to hear them.
I wish my FTP was FTL.
 
User avatar
Deantwo
Member
Member
Topic Author
Posts: 313
Joined: Tue Sep 30, 2014 4:07 pm

Re: Making Imported Certificate into a Certificate Authority

Mon Aug 22, 2016 12:43 pm

Ok, been doing some more research and testing of older RouterOS versions.

RouterOS was seemingly not able to make/issue certificates before around version 6.10.
The checkbox that was labeled "CA" seem to have just been "Trust" before it was renamed in version 6.3.

I have attempted to import my CA on multiple different RouterOS versions with the same result. On version 6.10 it at least was able to see "Digital Signature" as a key usage, whereas on 6.35 it shows as having a blank list of key usages (as seen in the picture I posted before).

I created a new CA using OpenSSL on a linux machine (following http://wiki.mikrotik.com/wiki/Manual:Cr ... th_OpenSSL) and have had it act identical to my CA. So I figure I can rule out that it is my CA that is the problem.
I don't know how RouterOS makes the certificates, but a MikroTik router is able to use CAs created on another MikroTik router just fine.
Last edited by Deantwo on Mon Aug 22, 2016 2:35 pm, edited 1 time in total.
I wish my FTP was FTL.
 
User avatar
Deantwo
Member
Member
Topic Author
Posts: 313
Joined: Tue Sep 30, 2014 4:07 pm

Re: Making Imported Certificate into a Certificate Authority

Mon Aug 22, 2016 12:49 pm

Ok, I seem to have found the issue.
The old third-party certificate program that I have been using for the past 6 years doesn't actually check certificate KeyUsage bits.

So in short, my CA doesn't have the KeyCertSign KeyUsage bit set!
MikroTik, is doing the correct thing in disallowing my certificate from being used as a CA.

The http://wiki.mikrotik.com/wiki/Manual:Cr ... th_OpenSSL doesn't actually do this either, which I believe may be cause of this confusion. The guide doesn't create the CA with the KeyCertSign KeyUsage bit set.

I guess that means I have to retire the old CA sooner than I thought. I have a few more ideas I want to test though.
I wish my FTP was FTL.
 
luca1234567
just joined
Posts: 15
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: Making Imported Certificate into a Certificate Authority

Thu Mar 26, 2020 2:23 pm

Hello,

I meet with this same problem of flag "Authority" of imported CA certificates in ROuterOS.
So i write this post viewtopic.php?f=2&t=159183
To request a correction of implementation.
Best regards.

Who is online

Users browsing this forum: No registered users and 195 guests