Community discussions

MikroTik App
 
roe1974
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Mon Dec 31, 2018 2:14 pm

Certificate "invalid before"/"expires after" .. difference why ?

Thu Oct 17, 2019 2:41 pm

Hello
Why there is a difference between "invalid before"/"expires after" ???
See the picture ..... which one is right ?
Unbenannt.JPG
Richard
You do not have the required permissions to view the files attached to this post.
 
krisjanisj
Member Candidate
Member Candidate
Posts: 101
Joined: Wed Feb 20, 2019 2:53 pm
Contact:

Re: Certificate "invalid before"/"expires after" .. difference why ?

Thu Oct 17, 2019 2:52 pm

Let's break it down as mentioned in wiki :
Invalid Before : The date before which the certificate is invalid.
Invalid After : The date after which the certificate will be invalid.
Expires After : Days left until certificate expires.
In this case I have 2 questions:
1) Is this locally generated or imported certificate?
2) Is Your routers time set correctly and its showing precise time?
 
roe1974
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Mon Dec 31, 2018 2:14 pm

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 9:06 am

Hello

1) Is this locally generated or imported certificate?
It is generated locally on mikrotik router
2) Is Your routers time set correctly and its showing precise time?
yes, time and date is correct

When i reboot the router, all entries are correct (also the entrie "Expires After")
Over the time, the value "expires after" is no longer correct.
Its a RB4011iGS+5HacQ2HnD-IN with RouterOS 6.44.5 (Longterm)

18h later the router shows now:
Unbenannt.PNG
That's not correct when you look at "expires after" ?!?!?!?

So my question, when the certificate will expire ?? at the date or after the days shown ?!?!?!?

Richard
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 11:33 am

Check it in command mode or maybe Webfig. Winbox has known bugs in date/time handling that MikroTik won't fix.
 
roe1974
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Mon Dec 31, 2018 2:14 pm

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 11:42 am

same thing in wegfig:
Unbenannt.PNG
Screenshot is about 2 hours later .... and the time in mikrotik for the certificate has about 4,5 hours past ?!?!?!?!?

Richard
You do not have the required permissions to view the files attached to this post.
 
roe1974
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Mon Dec 31, 2018 2:14 pm

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 12:06 pm

here a screenshot of the client certificate on the LtAP (genrated on the RB4011 and imported in the LtAP)
Unbenannt.JPG
The 26 Dec. is not in 6 days ?!?!??!!?!?

Richard
You do not have the required permissions to view the files attached to this post.
 
krisjanisj
Member Candidate
Member Candidate
Posts: 101
Joined: Wed Feb 20, 2019 2:53 pm
Contact:

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 12:10 pm

Please send us a generated supout.rif file from the device and if it is possible a certificate thats generated and exhibits this kind of issue to support@mikrotik.com .
 
roe1974
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Mon Dec 31, 2018 2:14 pm

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 12:37 pm

ok i can send you the supout.rif and the webfig certificate (same issue there)
But i need an urgent info if the expire date is the right one or the day counter !
Richard
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 12:39 pm

same thing in wegfig:
Unbenannt.PNG

Screenshot is about 2 hours later .... and the time in mikrotik for the certificate has about 4,5 hours past ?!?!?!?!?

Richard
That is the behavior typical in winbox. Date/time running forward in the future because some offset is doubled or so.
(e.g. "last time up" or "last time down" in interface statistics is a date in the future)
Did not know it could affect webfig too. Try it in command mode.
 
roe1974
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Mon Dec 31, 2018 2:14 pm

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 1:05 pm

in terminal the details are right:

...........................invalid-before=dec/02/2018 11:10:42 invalid-after=dec/02/2019 11:10:42 expires-after=6w2d23h8m21s
6w = 6weeks .. right ?

so it's a webfig/winbox problem ?????

@krisjanisj
do you still need supout + cert ?

Richard
Last edited by roe1974 on Fri Oct 18, 2019 1:06 pm, edited 1 time in total.
 
krisjanisj
Member Candidate
Member Candidate
Posts: 101
Joined: Wed Feb 20, 2019 2:53 pm
Contact:

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 1:06 pm

in terminal the details are right:

...........................invalid-before=dec/02/2018 11:10:42 invalid-after=dec/02/2019 11:10:42 expires-after=6w2d23h8m21s

so it's a webfig/winbox problem ?????

@krisjanisj
do you still need supout + cert ?

Richard
Yes, please provide us with the supout.rif and certificate to support@mikrotik.com
 
roe1974
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Mon Dec 31, 2018 2:14 pm

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 1:12 pm

@krisjanisj
mail sent
regards Richard
 
roe1974
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Mon Dec 31, 2018 2:14 pm

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 1:25 pm

btw .. is there a way to extend the certificate in routerOS ? ... or is the only way to make a new one with longer term ?

Richard
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Certificate "invalid before"/"expires after" .. difference why ?

Fri Oct 18, 2019 3:56 pm

btw .. is there a way to extend the certificate in routerOS ? ... or is the only way to make a new one with longer term ?

Certificate validity is baked into certificate itself, so it's not possible to extend it (in verbatim sense).
However, when using some proper certificate tools (e.g. openssl tools on linux), it is possible to issue new certificate (it'll have different serial number) based on same private key and request file, so the certificate will be identical to the old one except for serial number and validity data. Probably that's not possible when using ROS to do it though. And the benefit of not creating new private key is questionable at best (why miss opportunity to create key with safer algorithm ...)...

Who is online

Users browsing this forum: aarntesla, Amazon [Bot], Bing [Bot], gigabyte091, hanzaw and 62 guests