Community discussions

MUM Europe 2020
 
User avatar
mipland
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Thu Sep 14, 2006 4:02 am

[SOLVED] Hotspot with SSL: Private Key and Certificate fail

Sun Nov 12, 2006 7:53 pm

After reading a LOT of topic, wiki and Google, I haven't found a suitable way to generate ssl keys for RouterOS (2.9.34). Better: I found the way, but RouterOS doesn't want it!
Winbox wouldn't to import my key/certificate. I try to follow the howto for certificate import, but no success...when I try to give a "decrypt" command, he ask me the passphrase, but no keys decrypted follows...I'm (quite) desperate!
This is what I do:
- generating the private key and certificate in this way:
SERVER=hotspot.mynetwork.net
PRIVATE_KEY=$SERVER.key
CERTIFICATE_FILE=$SERVER
VALID_DAYS=1095
openssl genrsa -des3 -out $PRIVATE_KEY 1024
openssl req -new -x509 -days $VALID_DAYS -key $PRIVATE_KEY -out $CERTIFICATE_FILE
- two file are generated: hotspot.mynetwork.net (certificate) and hotspot.mynetwork.net.key (private key)
- upload the two file via FTP to an RB153 with RouterOS 2.9.34
- login via telnet to the RB153:
[admin@IZ3HAD] certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
[admin@IZ3HAD] certificate> import
passphrase: *********
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 1

[admin@IZ3HAD] certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
 0    name="cert1" subject=C=IT,ST=xxxxxx,O=xxxxxx 
      issuer=C=IT,ST=xxxxxx,O=xxxxxx serial-number="xxxxxx" 
      invalid-before=nov/12/2006 17:32:27 invalid-after=nov/11/2009 17:32:27 ca=yes 
[admin@IZ3HAD] certificate> decrypt 
passphrase: *********
  keys-decrypted: 0

[admin@IZ3HAD] certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
 0    name="cert1" subject=C=IT,ST=xxxxxx,O=xxxxxx 
      issuer=C=IT,ST=xxxxxx,O=xxxxxx serial-number="xxxxxx" 
      invalid-before=nov/12/2006 17:32:27 invalid-after=nov/11/2009 17:32:27 ca=yes
Someone has never set-up a hotspot with SSL autentication?
Thanks in advance

73 de IZ3HAD
Last edited by mipland on Thu Dec 20, 2007 1:53 pm, edited 3 times in total.
 
User avatar
mipland
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Thu Sep 14, 2006 4:02 am

Mon Nov 13, 2006 2:02 pm

No one?
Bye

IZ3HAD, Mirco
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24422
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mon Nov 13, 2006 2:55 pm

try running the import command once more
 
User avatar
mipland
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Thu Sep 14, 2006 4:02 am

Mon Nov 13, 2006 3:45 pm

Thanks Normis! I followed the official HowTo http://www.mikrotik.com/docs/ros/2.9/root/certificate, but it is incorrectly (in my opinion).

Edit:
follow my personal HowTo.
Last edited by mipland on Mon Nov 13, 2006 7:12 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24422
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mon Nov 13, 2006 4:37 pm

but did it work then? did you get your hotspot to run with SSL?
 
User avatar
mipland
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Thu Sep 14, 2006 4:02 am

Mon Nov 13, 2006 6:24 pm

Sure
Bye

IZ3HAD, Mirco
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Mon Nov 13, 2006 6:32 pm

Could someone please correct the misleading thread topic?
We're talking about SSL (!) certificates here, not SSH...

Best regards,
Christian Meis
Best regards,
Christian Meis
 
User avatar
mipland
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Thu Sep 14, 2006 4:02 am

Mon Nov 13, 2006 6:34 pm

Excuse me for the mistakes...I've just changed the title of the topic.
Bye

IZ3HAD, Mirco
 
User avatar
mipland
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Thu Sep 14, 2006 4:02 am

Mon Nov 13, 2006 7:59 pm

RB 112-153 Secure Hotspot HowTo with HTTPS (optionally HTTPS + RADIUS)

This HowTo is intended for use on MikroTik RouterBoard 112/153, with RouterOS 2.9.34.

Open your winbox utility, and connect to the board through MDP (or do a "/system reset" on a board already in use):
Click on "New Terminal".

Now we are going to control our interfaces, and to enable/disable whoes of our interest (I have a RB 153):
[admin@MikroTik] > /interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R ether3 ether 0 0 1500
3 R ether4 ether 0 0 1500
4 R ether5 ether 0 0 1500
5 X wlan1 wlan 0 0 1500
[admin@MikroTik] > interface
[admin@MikroTik] interface> set 1,2,3,4 disabled=yes
[admin@MikroTik] interface> set 5 disabled=no
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 X ether2 ether 0 0 1500
2 X ether3 ether 0 0 1500
3 X ether4 ether 0 0 1500
4 X ether5 ether 0 0 1500
5 wlan1 wlan 0 0 1500
Set a name for the Interfaces (without space on thw wireless interfaces, otherwise the hotspot setup will fail, I think that's a bug).
[admin@MikroTik] interface> set 0 name=internet
[admin@MikroTik] interface> set 5 name=hotspot
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R internet ether 0 0 1500
1 X ether2 ether 0 0 1500
2 X ether3 ether 0 0 1500
3 X ether4 ether 0 0 1500
4 X ether5 ether 0 0 1500
5 hotspot wlan 0 0 1500
Now, we are going to setting-up the wireless interface
[admin@MikroTik] interface> wireless set hotspot ssid=IZ3HAD band=5ghz frequency=5280 mode=ap-bridge periodic-calibration=enabled
Set an IP address for the "internet" interface, it's default gateway and it's dns. The option allow-remote-requests is to speed up the dns by caching the local request to the MikroTik box.
[admin@MikroTik] interface> /ip
[admin@MikroTik] ip> address add address=192.168.10.99/24 interface=internet
[admin@MikroTik] ip> route add gateway=192.168.10.1
[admin@MikroTik] ip> dns
[admin@MikroTik] ip dns> set primary-dns=192.168.10.1
[admin@MikroTik] ip dns> set allow-remote-requests=yes
[admin@MikroTik] ip dns> ..
[admin@MikroTik] ip> ..
Now, create a certificate on a Linux Machine. A script could be the follow:
#!/bin/sh
SERVER=hotspot.mynetwork.net
PRIVATE_KEY=$SERVER.key
CERTIFICATE_FILE=$SERVER
VALID_DAYS=1095

openssl genrsa -des3 -out $PRIVATE_KEY 1024

openssl req -new -x509 -days $VALID_DAYS -key $PRIVATE_KEY -out $CERTIFICATE_FILE # Autocertified
Then, give it the execution properties and execute it:
chmod +x myscript
./myscript
Give your password three times.
Give all the information required (CA, email, ecc.).

Two file are produced:
--- hotspot.mynetwork.net is the certificate
--- hotspot.mynetwork.net.key is the private key

Put this (via FTP) file on the root of MT Board.
Return to the MT Board CLI and give the following commands to import the certificate and the private keys:
[admin@MikroTik] > certificate
[admin@MikroTik] certificate> import
passphrase: ****************
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 1

[admin@MikroTik] certificate> import
passphrase: ****************
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MikroTik] certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
0 KR name="cert1" subject=C=IT,ST=xxxx,L=xxxx,O=xxxx,OU=xxxx,CN=IZ3HAD,emailAddress=xxxx issuer=C=IT,ST=xxxx,L=xxxx,O=xxxx,OU=xxxx,CN=IZ3HAD,
emailAddress=xxxx
serial-number="xxxx" email=xxxx
invalid-before=nov/13/2006 13:13:27 invalid-after=nov/12/2009 13:13:27
ca=yes
It's time to set-up your hotspot.
[admin@MikroTik] certificate> /ip hotspot
[admin@MikroTik] ip hotspot> setup
hotspot interface: hotspot
local address of network: 192.168.100.1/24
masquerade network: yes
address pool of network: 192.168.100.100-192.168.100.254
select certificate: IZ3HAD
ip address of smtp server: 0.0.0.0
dns servers: 192.168.10.2
dns name: hotspot.mynetwork.net
name of local hotspot user: admin
password for the user: *******
[admin@MikroTik] ip hotspot>
To force the authentication mode to "only HTTPS", type this:
[admin@MikroTik] ip hotspot> profile
[admin@MikroTik] ip hotspot profile> set hsprof1 login-by=https
If you have a freeradius server, add in /etc/raddb/clients.conf a new entry like this:
client 192.168.10.99/24 {
       secret          = iz3had
       shortname       = hotspot
}
And, on the RB CLI:
[admin@MikroTik] > /radius
[admin@MikroTik] radius> add address 192.168.10.2 service=hotspot secret=iz3had authentication-port=1812 accounting-port=1813
[admin@MikroTik] radius> /ip hotspot profile
[admin@MikroTik] ip hotspot profile> set hsprof1 use-radius=yes
Now you have a secured hotspot! Connect your client to the MT, and type any address on Firefox: you will get a certification approval request, it's yours!
Hints
If you disable Connection Tracking, the HotSpot will not be able to redirect your connection.

P.S.
I found a perfectly working guide on a previous topic to made this config, but there was nothing on the SSL side, and no or erroneus info found for a "secure" hotspot authenticating on the rest of the forum, so I decided to made a new howto.
Thanks to Normis for it's hint.

73 de IZ3HAD
Last edited by mipland on Tue Nov 14, 2006 9:58 pm, edited 4 times in total.
Bye

IZ3HAD, Mirco
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6621
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Mon Nov 13, 2006 8:17 pm

If you are example are 100% working, you can publish it in MikroTik wiki,
http://wiki.mikrotik.com
 
User avatar
mipland
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Thu Sep 14, 2006 4:02 am

Mon Nov 13, 2006 8:27 pm

Sure, it's 100% working. I resetted my board and try to follow my howto as posted to made a hotspot. I powered on my laptop and it gives an IP from the hotspot DHCP's. Then, after started FFirefox, it request me to accept the certificate and show up the login page. The login, redirect, logout work perfectly.
I'm trying to register myself on wiki, but it appears to have some problem...I'll try later and I'll insert my howto.

73 de IZ3HAD
Bye

IZ3HAD, Mirco
 
kvan64
Member Candidate
Member Candidate
Posts: 186
Joined: Tue Apr 10, 2007 1:54 pm
Location: Brisbane Australia
Contact:

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Sun Nov 04, 2007 12:37 am

Can you create an unsigned certificate using a Linux liveCD? if yes, which liveCD do you recommend. Ta
 
lagosta
just joined
Posts: 21
Joined: Sun May 11, 2008 10:02 pm

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Tue Aug 19, 2008 12:57 pm

I tried this tutorial and it works really good, thanks very much, everything is very well explained and you should definitely publish it in MikroTik wiki.

I don't know if the live cds are able to do this, if they have OpenSSl installed, i'm pretty sure it is possible.Then you just need an ftp client (I used Filezilla) and ssh or telnet to do the rest.
Try to do everything on linux, because if you import your self signed certificate to windows it is possible that the properties of the file change and the certificate wont work. But you can try :)
 
lagosta
just joined
Posts: 21
Joined: Sun May 11, 2008 10:02 pm

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Wed Aug 20, 2008 11:29 am

Well I think there is no use on having linux after all, all you need is a version of OpenSSl for windows, for example this one:
http://www.slproweb.com/download/Win32O ... 0_9_8g.exe

After install go to the /bin directory and run the executale file, you can then create your own certificate and private key with this two simple commands:

genrsa -des3 -out private.key 1024

req -new -x509 -days 365 -key private.key -out certificate.pem

Then follow the rest of the tutorial :)
 
tristan.bolton
just joined
Posts: 12
Joined: Fri Jun 15, 2007 7:45 am

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Sat Feb 28, 2009 7:39 am

is there a way to have Secure Hotspot without it having to except the SSL certificate? Mine is signed by a CA and it says unknown Issuer?

Any Ideas??
 
User avatar
mikrotikgrrl
just joined
Posts: 18
Joined: Fri Mar 27, 2009 9:59 pm
Location: Oklahoma

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Mon Apr 13, 2009 10:00 pm

Thank you for this straight forward tutorial! Worked like a charm :)

Darci
 
macns
just joined
Posts: 22
Joined: Mon Jul 21, 2014 12:36 pm

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate f

Fri Sep 19, 2014 10:07 am

if you're having timeouts when trying to import a certificate on RouterOS v6.5 (could be other versions too)
try upgrading to the latest version
System / Packages / Check for updates
Installing an SSL certificate on your hotspot setup, will not get rid of the browser warnings on clients.
Latest versions of chrome AFAIK, display a large red lock with no other -- immediately visible -- options

Due to this I'm thinking of allowing all 443 traffic ..

This is a problem that seems un-solvable because of the way encrypted traffic works.

suggestions/thoughts anyone?

Who is online

Users browsing this forum: gammy69er, jonnynguyen1123, MSN [Bot], phuketmymac and 35 guests