Community discussions

MikroTik App
 
e76aa
just joined
Topic Author
Posts: 15
Joined: Tue Apr 03, 2018 2:25 am

SSL certificate for mynetname domain

Fri Mar 20, 2020 11:29 am

Hi, I have activated cloud domain and forwarded to my oodoo server. Now client ask to be secured with certificate. What are the steps. I try with openssl and I generate some certificates but when I tested its not secure. As well I found sslforfree and when I try to verify automatic FTP verification I recive following Pre-verification failed. The directory is incorrect. But when I check it Files and in this directory it already created some additional folder.
How can I secure this domain?

Best regards
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSL certificate for mynetname domain

Fri Mar 20, 2020 3:44 pm

If you create certificate yourself, nobody will trust it. Except you, if you import your own CA as trusted, and possibly people who will do the same. It's usable only for strictly private use, but even that is not convenient, because CA needs to be added as trusted to every single device that will use the service.

Sslforfree seems to be some intermediate service pro Let's Encrypt. But it still requires you to have publicly accessible webserver for verification, so you can most likely skip it and use Let's Encrypt directly. I don't know what's oodoo server, but unless it's something extremely limited, you can run any standard Let's Encrypt client there.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1081
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: SSL certificate for mynetname domain

Sat Mar 21, 2020 12:44 am

I like using my own certificates.

To do this, you'll need to create a self-signed Root certificate. Then create all your end entity certs signed by your root. Install your entity certs as normal. Then export the Root, without its private key (in X509v3 DER or PEM format) and install that on all computers, phones, etc that will access your entity cert. The trusted Root, in the certificate store on your PCs, phones, will allow the cert to work like a big name cert.

You can use a product like CertManEx to make this easy.

Let me know if you are still having trouble.
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSL certificate for mynetname domain

Sat Mar 21, 2020 1:13 am

Own certificates are ok, but for own use (personal or some closed group). They are useless for services that have random visitors, because they would have to trust your CA to be able to verify them, and nobody in their right mind should do that.

My favourite tool for own certificates is XCA. It's also possible to use RouterOS, it too can create CA and issue certificates.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1081
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: SSL certificate for mynetname domain

Sat Mar 21, 2020 4:04 am

Own certificates are ok, but for own use (personal or some closed group). They are useless for services that have random visitors, because they would have to trust your CA to be able to verify them.

Of course ...
 
e76aa
just joined
Topic Author
Posts: 15
Joined: Tue Apr 03, 2018 2:25 am

Re: SSL certificate for mynetname domain

Wed Mar 25, 2020 2:46 pm

Own certificates are ok, but for own use (personal or some closed group). They are useless for services that have random visitors, because they would have to trust your CA to be able to verify them, and nobody in their right mind should do that.

My favourite tool for own certificates is XCA. It's also possible to use RouterOS, it too can create CA and issue certificates.
This will be for the client for himself. When I create this and import to Mikrotik do I need to do something more? Should I install as well this to my PC?
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSL certificate for mynetname domain

Wed Mar 25, 2020 10:22 pm

Create CA, then create certificate for server and sign it with CA. Install certificate on server. Each client then needs CA certificate (without private key) and add it as trusted.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
e76aa
just joined
Topic Author
Posts: 15
Joined: Tue Apr 03, 2018 2:25 am

Re: SSL certificate for mynetname domain

Sun Mar 29, 2020 11:13 am

I try couple times but still without success. When I import the certificate to browser it still showing not secure.. What shoul I put in DNS and what in IP if I need to secure mynetname domain. And do I first create CA root certificate then what is next step. Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSL certificate for mynetname domain

Sun Mar 29, 2020 7:42 pm

I'm not exactly sure about required key-usage, but this worked for me:
/certificate
add name=ca common-name=MyCA key-usage=key-cert-sign days-valid=3650
sign ca name=MyCA
add name=server common-name=xxx.sn.mynetname.net subject-alt-name=DNS:xxx.sn.mynetname.net key-usage=tls-server days-valid=3650        
sign server ca=MyCA
export-certificate MyCA
export-certificate server export-passphrase=xxx type=???
??? is either pem or pkcs12, choose what's better for installing on your server

cert_export_server.* is what you install on server
cert_export_MyCA.crt is what you import in browser as trusted CA
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
e76aa
just joined
Topic Author
Posts: 15
Joined: Tue Apr 03, 2018 2:25 am

Re: SSL certificate for mynetname domain

Mon Mar 30, 2020 1:21 pm

I'm not exactly sure about required key-usage, but this worked for me:
/certificate
add name=ca common-name=MyCA key-usage=key-cert-sign days-valid=3650
sign ca name=MyCA
add name=server common-name=xxx.sn.mynetname.net subject-alt-name=DNS:xxx.sn.mynetname.net key-usage=tls-server days-valid=3650        
sign server ca=MyCA
export-certificate MyCA
export-certificate server export-passphrase=xxx type=???
??? is either pem or pkcs12, choose what's better for installing on your server

Thanks for help. Im still new at this, so when I create this server means mikrotik right? should I put in services for ssl this certificate and should I open 443 port on my ISP router.

cert_export_server.* is what you install on server
cert_export_MyCA.crt is what you import in browser as trusted CA
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSL certificate for mynetname domain

Mon Mar 30, 2020 1:32 pm

No, server means your "oodoo server".
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: andriys, debussy, jamrobe, ManuelKuhn, MSN [Bot], sindy and 68 guests