Community discussions

 
aleab
just joined
Topic Author
Posts: 9
Joined: Sat Sep 22, 2018 6:13 pm

OpenVPN move to another Board

Mon Sep 02, 2019 6:34 pm

Hello,
i have a RB941-2nD and I have just purchased RBD52G-5HacD2HnD-TC.

my configuration is simple but i have set ovpn server.

can i move certificates from "old" mikrotik to new?
i searched and i found something but is still not working...

i try to do this
on old mikrotik
/certificate export-certificate CA export-passphrase="12345678"
/certificate export-certificate client1 export-passphrase="12345678"
/certificate export-certificate server export-passphrase="12345678"
/certificate export-certificate client export-passphrase="12345678"
then download on my pc

on new mikrotik
/certificate import file-name=CA.crt passphrase=12345678
/certificate import file-name=CA.key passphrase=12345678
/certificate import file-name=server.crt passphrase=12345678
/certificate import file-name=server.key passphrase=12345678
/certificate import file-name=client.crt passphrase=12345678
/certificate import file-name=client.key passphrase=12345678
/certificate import file-name=client1.crt passphrase=12345678
/certificate import file-name=client1.key passphrase=12345678

with command
/certificate print
i noticed that CA certificate is KLAT (like on hold mikrotik, so i suppose is fine)
but server - client - client1 is only K or KT (on old mikrotik is KI)
so I thought I had to sign those certificates.
but when i try to execute
/certificate sign server ca="CA" name="server"
i receive this error
failure: name must be unique!

I think only missing this signature and then it would work...

how can i make the command work?

thank you
Alessandro
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: OpenVPN move to another Board

Mon Sep 02, 2019 8:54 pm

Hi

Normally one only import private key on target/server device. The public part can be distributed to the users of that server.

If Tik is CA, only import private key.
for opvn server: only import private key
for opvn client: only import private client key
 
aleab
just joined
Topic Author
Posts: 9
Joined: Sat Sep 22, 2018 6:13 pm

Re: OpenVPN move to another Board

Tue Sep 03, 2019 12:18 am

thank you for reply @sebastia

but if i try to import only key (without crt)
[admin@MikroTik] > /certificate import file-name=server.key passphrase=12345678
certificates-imported: 0
private-keys-imported: 0
files-imported: 0
decryption-failures: 0
keys-with-no-certificate: 0

doesn't import anything...
same result with CA client and client1...

thank you
 
aleab
just joined
Topic Author
Posts: 9
Joined: Sat Sep 22, 2018 6:13 pm

Re: OpenVPN move to another Board

Tue Sep 03, 2019 12:56 am

i see when i import a CA.crt creates automatically a CRL
http://127.0.0.1/crl/1.crl
would be that?

thank you
 
aleab
just joined
Topic Author
Posts: 9
Joined: Sat Sep 22, 2018 6:13 pm

Re: OpenVPN move to another Board  [SOLVED]

Tue Sep 03, 2019 10:37 am

Sorry, i 'm a idiot...

works fine, it was enough to restart the mikrotik...

so, recap to move openvpn from old mikrotik to new mikrotik

on old mikrotik
/certificate export-certificate CA export-passphrase="12345678"
/certificate export-certificate client1 export-passphrase="12345678"
/certificate export-certificate server export-passphrase="12345678"
/certificate export-certificate client export-passphrase="12345678"

on new mikrotik
/certificate import file-name=CA.crt passphrase="12345678"
/certificate import file-name=CA.key passphrase="12345678"
/certificate import file-name=server.crt passphrase="12345678"
/certificate import file-name=server.key passphrase="12345678"
/certificate import file-name=client.crt passphrase="12345678"
/certificate import file-name=client.key passphrase="12345678"
/certificate import file-name=client1.crt passphrase="12345678"
/certificate import file-name=client1.key passphrase="12345678"

reconfig same parameters ovpn server (firewall,dhcp,etc...)
reboot new mikrotik and test...

thank you

Who is online

Users browsing this forum: Google [Bot] and 76 guests