In my case, I am using cacert.org to create my certificate and everything seems to be working there.
Note that things do not match perfectly compared to what the wiki says. For example, when creating the template it does not prompt for fields and they must be passed on the command line. I created a certificate request and posted it to cacert.org and filled in the response .
I was able to successfully import the response and the crl says:
0 D certificate-response.pem_0 nov/07/2018 04:02:55 402825 http://crl.cacert.org/revoke.crl
The certificate-response shows up with flags K, L and T with the common name for my FQDN.
I exported the certificate and key file and loaded those files onto my VPN client.
Additionally, I set up the ppp profile and secret as needed as well as the IP pool.
The problem I keep seeing, however, is:
04:41:55 certificate,error scep client failure: requesting-ca-certificate-failed
04:42:55 certificate,error scep client failure: requesting-ca-capabilities-failed
I do not know what is going wrong.
I feel part of the problem is that the wiki is out of date when it comes to certificates.
For example, it says, "Warning: Generated private keys will be in pkcs8 format, which is not supported in RouterOS. To import such keys, run: openssl rsa -in private-key.key -text and write key output to new file. Upload new file to RouterOS and import"
This does not appear to be the case. The generated key is in PEM format and it is typically named certificate-request_key.pem. Also, nothing seems to happen when I attempt to import the generated key after entering the password, though it complains if I enter the wrong password.
Here are the steps I'm using to create the certificate using cacert.org:
[download certificate-request.pem and certificate-request_key.pem]
Code: Select all
certificate add name="client1-template" country="US" state="CA" common-name="my-domain.org" key-size=2048 days-valid=365
/certificate create-certificate-request key-passphrase="my password" template=client1-template key-size=4096
[past certificate-request.pem to cacert.org when creating a new server cert]
[copy and paste the response into certificate-response.pem]
[upload certificate-response.pem to Mikrotik]
[wait until it is valid]
Code: Select all
/certificate import file-name=certificate-response.pem
/certificate import file-name=certificate-request_key.pem
/certificate crl print
/certificate print detail
K L T name="certificate-response.pem_0" issuer=O=Root CA,OU=http:,,www.cacert.org,CN=CA Cert Signing Authority,emailAddressfirstname.lastname@example.org
common-name="mydomain.org" key-size=4096 subject-alt-name=DNS:mydomain.org days-valid=180 trusted=yes
fingerprint="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" invalid-before=nov/07/2018 03:54:32
invalid-after=may/06/2019 03:54:32 expires-after=25w4d17h54m7s
Everything looks good here
Code: Select all
add name="ovpn-profile" local-address=192.168.0.252 remote-address=pptp remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default
use-compression=default use-encryption=required only-one=default change-tcp-mss=default use-upnp=default address-list="" on-up="" on-down=""
/ppp secret add name="myloginname" password="my password" profile=ovpn-profile
/interface ovpn-server server