Page 1 of 1
SSL certificate for mynetname domain
Posted: Fri Mar 20, 2020 11:29 am
by e76aa
Hi, I have activated cloud domain and forwarded to my oodoo server. Now client ask to be secured with certificate. What are the steps. I try with openssl and I generate some certificates but when I tested its not secure. As well I found sslforfree and when I try to verify automatic FTP verification I recive following Pre-verification failed. The directory is incorrect. But when I check it Files and in this directory it already created some additional folder.
How can I secure this domain?
Best regards
Re: SSL certificate for mynetname domain
Posted: Fri Mar 20, 2020 3:44 pm
by Sob
If you create certificate yourself, nobody will trust it. Except you, if you import your own CA as trusted, and possibly people who will do the same. It's usable only for strictly private use, but even that is not convenient, because CA needs to be added as trusted to every single device that will use the service.
Sslforfree seems to be some intermediate service pro Let's Encrypt. But it still requires you to have publicly accessible webserver for verification, so you can most likely skip it and use Let's Encrypt directly. I don't know what's oodoo server, but unless it's something extremely limited, you can run any standard Let's Encrypt client there.
Re: SSL certificate for mynetname domain
Posted: Sat Mar 21, 2020 12:44 am
by pcunite
I like using my own certificates.
To do this, you'll need to create a self-signed
Root certificate. Then create all your
end entity certs
signed by your root. Install your entity certs as normal. Then export the Root, without its private key (in X509v3 DER or PEM format) and install that on all computers, phones, etc that will access your
entity cert. The trusted Root, in the certificate store on your PCs, phones, will allow the cert to work like a big name cert.
You can use a product like
CertManEx to make this easy.
Let me know if you are still having trouble.
Re: SSL certificate for mynetname domain
Posted: Sat Mar 21, 2020 1:13 am
by Sob
Own certificates are ok, but for own use (personal or some closed group). They are useless for services that have random visitors, because they would have to trust your CA to be able to verify them, and nobody in their right mind should do that.
My favourite tool for own certificates is
XCA. It's also possible to use RouterOS, it too can create CA and issue certificates.
Re: SSL certificate for mynetname domain
Posted: Sat Mar 21, 2020 4:04 am
by pcunite
Own certificates are ok, but for own use (personal or some closed group). They are useless for services that have random visitors, because they would have to trust your CA to be able to verify them.
Of course ...
Re: SSL certificate for mynetname domain
Posted: Wed Mar 25, 2020 2:46 pm
by e76aa
Own certificates are ok, but for own use (personal or some closed group). They are useless for services that have random visitors, because they would have to trust your CA to be able to verify them, and nobody in their right mind should do that.
My favourite tool for own certificates is
XCA. It's also possible to use RouterOS, it too can create CA and issue certificates.
This will be for the client for himself. When I create this and import to Mikrotik do I need to do something more? Should I install as well this to my PC?
Re: SSL certificate for mynetname domain
Posted: Wed Mar 25, 2020 10:22 pm
by Sob
Create CA, then create certificate for server and sign it with CA. Install certificate on server. Each client then needs CA certificate (without private key) and add it as trusted.
Re: SSL certificate for mynetname domain
Posted: Sun Mar 29, 2020 11:13 am
by e76aa
I try couple times but still without success. When I import the certificate to browser it still showing not secure.. What shoul I put in DNS and what in IP if I need to secure mynetname domain. And do I first create CA root certificate then what is next step. Thanks
Re: SSL certificate for mynetname domain
Posted: Sun Mar 29, 2020 7:42 pm
by Sob
I'm not exactly sure about required key-usage, but this worked for me:
/certificate
add name=ca common-name=MyCA key-usage=key-cert-sign days-valid=3650
sign ca name=MyCA
add name=server common-name=xxx.sn.mynetname.net subject-alt-name=DNS:xxx.sn.mynetname.net key-usage=tls-server days-valid=3650
sign server ca=MyCA
export-certificate MyCA
export-certificate server export-passphrase=xxx type=???
??? is either pem or pkcs12, choose what's better for installing on your server
cert_export_server.* is what you install on server
cert_export_MyCA.crt is what you import in browser as trusted CA
Re: SSL certificate for mynetname domain
Posted: Mon Mar 30, 2020 1:21 pm
by e76aa
I'm not exactly sure about required key-usage, but this worked for me:
/certificate
add name=ca common-name=MyCA key-usage=key-cert-sign days-valid=3650
sign ca name=MyCA
add name=server common-name=xxx.sn.mynetname.net subject-alt-name=DNS:xxx.sn.mynetname.net key-usage=tls-server days-valid=3650
sign server ca=MyCA
export-certificate MyCA
export-certificate server export-passphrase=xxx type=???
??? is either pem or pkcs12, choose what's better for installing on your server
Thanks for help. Im still new at this, so when I create this server means mikrotik right? should I put in services for ssl this certificate and should I open 443 port on my ISP router.
cert_export_server.* is what you install on server
cert_export_MyCA.crt is what you import in browser as trusted CA
Re: SSL certificate for mynetname domain
Posted: Mon Mar 30, 2020 1:32 pm
by Sob
No, server means your "oodoo server".