Community discussions

MikroTik App
just joined
Topic Author
Posts: 21
Joined: Fri Oct 05, 2018 5:56 am

Webfig with HTTPS and a certificate, please.

Wed Dec 04, 2019 4:18 am

It appears that setting up proper https access is (still) a pain in the ass.

Creating a certificate with the following commands used to work - until now.
       certificate add name=root-cert common-name=root-certificate days-valid=3650 key-usage=key-cert-sign,crl-sign
       certificate sign root-cert
       certificate add name=https-cert common-name=https-certificate days-valid=3650
       certificate sign ca=root-cert https-cert
       ip service set www-ssl certificate=https-cert disabled=no
Certificate generated this way was not working in chrome: ERR_CERT_INVALID
... but at least it was working in firefox.
However, as of today even firefox complains, and gives a no-go:
Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The wiki here seems to be outdated and the forum search gives ancient results.
Is anyone aware of a set of commands that actually create a self-signed certificate that works in firefox and chrome, preferably by IP and by a domain name eventually?

And could we please please put this to the MikroTik wiki, so people can actually find it, and don't waste time on outdated pages?
Member Candidate
Member Candidate
Posts: 122
Joined: Mon Sep 23, 2019 1:04 pm

Re: Webfig with HTTPS and a certificate, please.

Wed Dec 04, 2019 1:22 pm

Just tested this with success and without the "pain in the ass".
I've used the same certificate I've generated for IKEv2 server-side.
Cert was generated using this:
/certificate add key-size=2048 days-valid=3650 key-usage=tls-server name=vpn.server
Where "" is the DDNS I'm using, and of course should be changed to yours. Nothing special.
/ip service print where name=www-ssl 
Flags: X - disabled, I - invalid 
 #   NAME                             PORT ADDRESS                                                              CERTIFICATE                         
 0   www-ssl                           443                                                                      vpn.server                          
And, of course, since it's a local CA, you should export your CA from mikrotik and import it in Windows in "Trusted Root Certification Authorities" or in whatever you are using.
Chrome gets it from there without any other settings as it seems.
Firefox needs this set in about:config to true "security.enterprise_roots.enabled" in order to search for the CA in Windows certificate store.
Attached info from firefox.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], eworm, petya, repmohc, rmozoster, Sanalturkey, tdw, Znevna, Zwodka and 122 guests