/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
create-certificate-request
template ca-template
key-passphrase mypassphrase
/certificate
import file-name=mydomain_com.crt
passphrase *****
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
import file-name=certificate-request_key.pem
passphrase *****
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
/ip service set www-ssl certificate=mydomain_com.crt_0
/ip hotspot profile set hsprof1 login-by=https ssl-certificate=mydomain_com.crt_0
I have RouterOS v6.40.1, do I have to update to the last one?Make sure your RouterOS is up to date.
I didn't understand how to use it on the router, can you help me?You can use something like https://testssl.sh for verifying that TLS support is working correctly.
I upgraded to v6.42.3 and now when I connect to the hotspot and the popup opens, I get this warning:If you're running 6.40.1 your router may already be compromised as you have not installed critical security patches, you should update ASAP and check for signs of compromise (modified DNS, additional users, VPN tunnels, etc).
You use testssl.sh from any Linux system and test it against your hotspot. If your hotspot is publicly reachable you can also post the link here for testing.
Here is the .crt file from namecheap, i renamed it because of invalid file extension. my domain is uala.datalit.itThat message means the .crt you supplied to the hotspot wasn't signed properly. Make sure it's the certificate you got from namecheap and not one generated by RouterOS.
You can also link the .crt file here and I can take a look. Make sure you never post the private key though!
I renamed your file into uala_datalit_intermediate.crt and I tried to import it with:There seems to be a missing intermediary cert, I'm not entirely sure how RouterOS handles this but try importing the following instead (I added the intermediate cert to the chain).
import file-name=uala_datalit_intermediate.crt
passphrase *****
import file-name=certificate-request_key.pem
passphrase *****
certificates-imported: 0
private-keys-imported: 0
files-imported: 0
decryption-failures: 0
keys-with-no-certificate: 0
/certificate> import file-name=uala_datalit_intermediate.crt
passphrase: *******
certificates-imported: 2
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
/certificate> import file-name=certificate-request_key.pem
passphrase: *******
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
This old doc says SSLv2, SSLv3, TLS but you can't select which protocols useAny signed cert should be fine, price is not important, even a free one from Let's Encrypt should work.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH seems to indicate either the hotspot or your browser isn't using modern protocols / ciphers. I don't know if there are any options in RouterOS, but make sure to disable SSL 2.0 / SSL 3.0 and only use TLS 1.0 / 1.1 / 1.2.
in order to secure your website, it is necessary to obtain an SSL certificate and complete all the required steps:
1) CSR code generation
2) SSL certificate activation
3) SSL certificate validation
4) SSL certificate installation
Due to the security reasons, it is recommended to generate the CSR code on your hosting server.
However, you can use any online tool instead. You are welcome to generate the CSR code using this online tool: https://decoder.link/csr_generator
Once the CSR code is generated, you will see the pop-up window with 3 tabs: "CSR", "Private key" and "Certificate".
The first "CSR" tab contains your CSR code that includes the following tags: “-----BEGIN CERTIFICATE REQUEST-----" and “-----END CERTIFICATE REQUEST-----”.
On the second "Private key" tab, there will be your private key. Your private key should begin with: -----BEGIN RSA PRIVATE KEY----- and end with: -----END RSA PRIVATE KEY-----
Please keep in mind that it is necessary to save the private key in order order to use it for the SSL certificate installation.
The third "Certificate" tab you will see a self-signed SSL certifcate that should *not* be used instead of your Comodo SSL certificate.
Please copy your CSR code and paste it into the “CSR” field on the fist step of activation in order to activate the certificate.
For more information how to activate an SSL certificate, feel free to check this guide: https://www.namecheap.com/support/knowl ... ertificate.
There are 3 DCV (Domain Control Validation) methods that you can choose from: the email-based, the HTTP-based and the DNS-based one.
For more information, feel free to check this guide about SSL Validation: https://www.namecheap.com/support/knowl ... ertificate
Please keep in mind that once the activation and validation are completed and the certificate is issued by Comodo, it is necessary to install the SSL certificate on your hosting server.
More information on how to install an SSL certificate can be found via this link: https://www.namecheap.com/support/knowl ... rtificates
You can check the installation of your certificate using this tool: https://decoder.link/sslchecker
Can someone kindly explain if this is the true case. Even with CA signed Certificates?Note: Browser will still warn end-user about redirection even with CA signed certificate! This warning message cannot be avoided.
Maybe and sometimes..I read here https://wiki.mikrotik.com/wiki/Manual:H ... PS_example thatCan someone kindly explain if this is the true case. Even with CA signed Certificates?Note: Browser will still warn end-user about redirection even with CA signed certificate! This warning message cannot be avoided.
