Community discussions

 
m4rk
just joined
Topic Author
Posts: 21
Joined: Fri Dec 15, 2017 8:02 pm

Import and use SSL Certificate

Fri May 10, 2019 11:46 am

Hi all,

To avoid the "Certificate error" message, that appers when I block a website with a DNS Cloud Filter, I installed a Certification Authority on my PC, in the "Trusted Root Certification Authorities" store, and in this way I can see my personal blocked page instead of the certificate error.

Since I've to install it in different PCs of my network (I've not an Internal Active Directory Server so I can't use GPO), I would like to know if it's possible using Mikrotik since I've recently read that it's possible to import a SSL Certificate into Mikrotik Security menu.

Can you also tell me what is the purpose of importing the certificate in Mikrotik?

Thanks a lot for your time and support and have a good day,

Marco
 
sindy
Forum Guru
Forum Guru
Posts: 3805
Joined: Mon Dec 04, 2017 9:19 pm

Re: Import and use SSL Certificate

Fri May 10, 2019 7:13 pm

The whole certificate business is to confirm the authenticity of a user or device or web server to another user or device without them having to meet in person. So a certificate is directly or indirectly (via other certificates in a chain) signed by a root certification authority, and the recipient of a certificate can verify that fact if he has access to all the certificates in the chain. So operating systems like Windows or Android come with a pre-installed set of root certificates of different public certification authorities, and whoever presents a certificate signed by one of those authorities can use it to prove its identity (which is the subject of the certificate) without previously delivering any other information to the system.

To authenticate itself to someone else using a certificate, a device needs to have the private key of the certificate (and whoever has the private key to the certificate may impersonate the owner of the certificate).

So there should be two reasons to import a certificate: to use it to check the certificate owner's authenticity, which is a case where the certificate itself (with its public key included) is sufficient and it may be only a certificate of the issuing certification authority, not of the end certificate owner itself, and to use it to prove your own identity, which is a case where you need the private key.

So when you want to use a certificate to prove the authenticity of your Mikrotik, and the certificate was generated somewhere else for it, you need to import it including the private key, so you have to export it including the private key where it was generated.

When you want to use a certificate to verify the identity of someone else, it is enough to import the certificate of the root certification authority if that someone else sends you all the certificates from its own one up to the topmost one you don't have in your certificate store. So e.g. if there is a root CA which has signed the certificate of an intermediate CA, and the intermediate CA has signed the client's certificate, there are two options to successfully verify client's certificate:
- the client sends its own certificate alone, but you have imported both the root CA's and intermediate CA's certificate before
- you have imported only the root CA's certificate, but the client sends its own certificate and the intermediate CA's certificate
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 883
Joined: Sun Oct 01, 2006 11:44 pm

Re: Import and use SSL Certificate

Fri May 10, 2019 7:24 pm

The purpose of importing an SSL cert into RouterOS is to secure the hotspot landing page. It won't help you do anything else, if you want to do SSL MITM the root has to be installed on all end user devices regardless of what's on the router.
 
m4rk
just joined
Topic Author
Posts: 21
Joined: Fri Dec 15, 2017 8:02 pm

Re: Import and use SSL Certificate

Sat May 11, 2019 7:57 pm

Hi,
Meanwhile thanks a lot for your support I really appreciated it.

Practically, do you think it's possible to use only the Mikrorik's SSL certificate instead of install it in every PCs of my network?

I try to better explain my scenario:

I'm using a Cloud DNS Content Filter so when I try to open a blocked website, then the Filter returns its own Public IP instead of the website ones and, if the webiste use the https secure protocol, the Filter returns also a certificate. So normally the Browser shows a Certificate Error since it expects to receive a different certificate.

To avoid this issue and to directly show the Content Filter blocked page, I installed a Certification Authority, provided by the Content Filter DNS, on my PC and it's working correctly.

Now I would like to import this certificate on every PCs of my network but I've not an Active Directory Server so it would need a lot of time.

Is it possible to use Mikrotik to obtain the same result?

P.S. sorry for my English I hope you'll understand everything :)

Thank you in advance and have a nice weekend,

Marco
 
sindy
Forum Guru
Forum Guru
Posts: 3805
Joined: Mon Dec 04, 2017 9:19 pm

Re: Import and use SSL Certificate

Sat May 11, 2019 8:09 pm

No, it is not possible to install a root CA certificate on Mikrotik through which a PC is connected to internet to avoid installing that root CA certificate on each such PC individually. The remote server authenticity is verified by the browser on each PC, because otherwise anyone else between the server and the client could impersonate the server this way.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
m4rk
just joined
Topic Author
Posts: 21
Joined: Fri Dec 15, 2017 8:02 pm

Re: Import and use SSL Certificate

Sat May 11, 2019 8:14 pm

Hi Sindy,

ok so I'll start to install it on every single PCs :)

so thanks again for your time and support.

Who is online

Users browsing this forum: No registered users and 53 guests