Community discussions

MikroTik App
 
cantanko
newbie
Topic Author
Posts: 28
Joined: Mon Apr 05, 2010 12:53 am

/certificate - certs issued on 6.44.2 triple-up their subject-alt-names upon signing

Tue Apr 09, 2019 3:11 pm

Certificate shenanigans again, RouterOS 6.44.2 CHR.

I start off with a completely empty certificate system:
[me@myendpoint] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME              COMMON-NAME            SUBJECT-ALT-NAME                                         FINGERPRINT

I create a CA and self-sign it:
/certificate add key-size=4096 days-valid=3650 trusted=yes key-usage=key-cert-sign name=MyCA common-name="My CA"
sign MyCA



All good so far:
[me@myendpoint] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME              COMMON-NAME            SUBJECT-ALT-NAME                                         FINGERPRINT
 0 K   A  T MyCA              My CA                                                                           f5432231f8be7d2a7a5...

I create a certificate for the SSTP server:
add name=myendpoint.example.com common-name=myendpoint.example.com subject-alt-name=IP:192.0.2.1 key-usage=tls-server key-size=4096 days-valid=365


Again, all good so far:
[me@myendpoint] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME              COMMON-NAME            SUBJECT-ALT-NAME                                         FINGERPRINT
 0 K   A  T MyCA              My CA                                                                           f5432231f8be7d2a7a5...
 1          myendpoint.exa... myendpoint.example.com IP:192.0.2.1

Then I sign this server cert with the CA:
sign ca=MyCA myendpoint.example.com

And this happens:
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME              COMMON-NAME            SUBJECT-ALT-NAME                                         FINGERPRINT
 0 K   A  T MyCA              My CA                                                                           f5432231f8be7d2a7a5...
 1 K    I   myendpoint.exa... myendpoint.example.com IP:192.0.2.1                                             c5ca3f3f91f9e9ef632...
                                                     IP:192.0.2.1
                                                     IP:192.0.2.1

What on earth is happening with the subject-alt-names???

Cheers!
 
cantanko
newbie
Topic Author
Posts: 28
Joined: Mon Apr 05, 2010 12:53 am

Re: /certificate - certs issued on 6.44.2 triple-up their subject-alt-names upon signing

Tue Apr 09, 2019 5:50 pm

Strangely, this appears to get worse with time - just ended up with eighteen SANs!
Image
Fresh install of RouterOS CHR, no clue as to what's causing this...
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 610
Joined: Thu Dec 11, 2014 8:53 am

Re: /certificate - certs issued on 6.44.2 triple-up their subject-alt-names upon signing  [SOLVED]

Tue Apr 09, 2019 7:00 pm

This is fixed already in the testing release channel and the fix will also be included in the next stable build. Sorry for any inconvenience.

What's new in 6.45beta22 (2019-Mar-29 08:37):

*) certificate - fixed SAN being duplicated on status change (introduced in v6.44);
 
cantanko
newbie
Topic Author
Posts: 28
Joined: Mon Apr 05, 2010 12:53 am

Re: /certificate - certs issued on 6.44.2 triple-up their subject-alt-names upon signing

Tue Apr 09, 2019 7:27 pm

Looked everywhere but in the Beta release notes :D

Many thanks for the heads-up Emils - that was steadily driving me nuts!

Cheers!

Who is online

Users browsing this forum: Google [Bot], jell2020 and 81 guests