Community discussions

MikroTik App
 
luca1234567
just joined
Topic Author
Posts: 18
Joined: Tue May 15, 2018 1:27 am
Contact:

Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Thu Mar 26, 2020 2:18 pm

Hello,

RoterBoard RB750Gr3 (HEXv3)
RouterOS v6.45.8
OpenSSL v1.1.1d

I want to import a CA self-signed certificate, with or without private key, in RouterOS and flagged as "Authority".

I use OpenSSL to genereate my Certificate Autority with a self-signed certificate with
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, keyCertSign

When I import it in RouterOS it not see as Authority.

By comparing the self-signed certificate generated by RouterOS, I test that if I add the Netscape Comment:
nsComment = "Generated by RouterOS"
It is correcty see as Autority in RouterOS.

So I think this is not correct because if there is this condition :
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
The certificate must be consider as CA, so be flagged as "Authority".

I thing sholud be correct to see "Authority" flag if a certificate have basicConstraints = CA:true, regardless that is a RoterOS generated or imported certificate.
This should be userfully to understand what certificate is used as CAs for other purposes, for example for the verify in Wifi-EAP-TLS, VPN-IPSec, etc.


I just contact support e-mail, and the reply:
Imported certificates will not show as authority simply for one reason, you are not allowed to sign certificates using imported CAs.
If you do not see "authrity" for certificate it does not mean that it will not work for other intended purposes.
I write:
If I import only the CA certificate without the private key, in any condition it is impossible to CA sign any other certificate.
And I not know a problem for to not allowed to sign certificates using imported CAs.
Support:
Problem with allowing to sing certificates with imported CAs is that device where CA is imported is not the origin. You cannot know on how many other devices this CA is imported and how many other certificates are signed by other copies of this CA. This is especially a problem when using CRLs.
I write:
As I describe in my first e-mail, if I create with OpenSSL a CA self-signed certificate with Netscape Comment = "Generated by RouterOS".
I import it without private key on RouterOS. RouterOS see certificate with flag "Autority".
Support:
Setting Comment to be able to generate certificates is a hack. if you know this then good, but the reason why we do not show CAs as CAs is the same as mentioned previously. And yes of course if you do not have private key you cannot sign anyway and that makes even less sense why CA flag is important.
I write:
The problem is that to have in RouterOS the "Authority" flag in the certificate archive for all CA certificate (these with basicConstraints = CA:true). For imported or RouterOS generated, with and without Netscape Comment = "Generated by RouterOS".
Can you remove the limitation of Netscape Comment = "Generated by RouterOS" in new release?
Support:
But as mentioned previously several times absence of A flag does not affect imported CA functionality (e.g verification works properly).
I think that they will not want to correct this implementation.



So I ask pubblic to Mikrotik to implements correction.
Who other confirm this request ?


Hi
Best regards.
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Thu Mar 26, 2020 7:39 pm

It looks like MikroTik reserves "Authority" for own CAs capable of issuing certificates. I guess it could be better if they had some other flag for it, and "Authority" would be for all CAs, so you would be able to quickly tell them from regular certificates. But it's just a cosmetic thing. Or do you see some functional problem?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
luca1234567
just joined
Topic Author
Posts: 18
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Fri Mar 27, 2020 12:43 am

The "Authority" flag is very userfully to directly see in the certificates list in RouterOS, what certificate was consider "Certification Authority" by RouterOS.
And understand if something not function during configuration of service.
Best regards.
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Fri Mar 27, 2020 1:13 am

I agree that it would be useful to see the difference between (external) CA and regular certificate without opening certificate properties, but current behaviour doesn't really break anything, right?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
luca1234567
just joined
Topic Author
Posts: 18
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Fri Mar 27, 2020 10:38 am

It seems the functionality it is ok, and I test it.

From support: The "Authority" flag display the ability of certificate to sign another.
But it doesn't take away from the fact that this is a not good implementation because if you import a CA certificates without private key with Netscape Comment = "Generated by RouterOS".
This certificate have "Authority" flag and was show in WebFig under Certificate > Sign menu as CA and you can use to TRY to sign certificate, but you CANNOT sign another certificate because there is NOT the private key.

So I ask to correct, also in low priority, as the next:
- To indicate the imported certificate may be added flag "Imported", not a result of Netscape Comment = "Generated by RouterOS", but a internal status bit in RouterOS config.
- Remove the condition Netscape Comment = "Generated by RouterOS" of "Authority" flag.
- The certificate show in WebFig under Certificate > Sign menu as CA, and can be use, may be certificate with "Authority" and "Private key" flag.

May be a correct request?
Best regards.
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Fri Mar 27, 2020 7:20 pm

I wouldn't worry too much about RouterOS CA without key. It's a corner case. It can only happen when you transfer RouterOS CA from one device to another. And when you need that, you should know what you're doing and tranfer it with private key.

Then as I already wrote, it would be nice for all CA certificates to have some flag to indicate that.

Comment hack seems ok to me. If you export RouterOS CA from one device and import it to another, it's recognized as such and you can use it to issue new certificates (I didn't test it, but I guess they should work). If you need new one, you can generate it in RouterOS. Only problem would be if you already had existing non-RouterOS CA elsewhere and you wanted to move it to RouterOS and use it to issue new certificates. But it seems very unlikely.

A nice feature would be ability to completely move RouterOS CA from one device to another, i.e. including the list of issued and revoked certificates. When you issue certificate, it has "issued" flag. When you export everything and import it to other device, the flag is no longer there. I guess it could be done if you make backup on one device and restore it to another. But backups are officially only for same device. And even if they can be restored to another, it will restore whole config, not just things related to certificates, so it's not an option for device with own config that you need to keep.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
luca1234567
just joined
Topic Author
Posts: 18
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Mon Mar 30, 2020 1:03 am

I have also test that import the CA self-signed certificate generated with OpenSSL and Netscape Comment = "Generated by RouterOS", it can be used to sign another certificare by RouterOS. It work OK.

I not like generate/sign certificate in RouterOS because:
- It is slow, for example with key length of 8192bit.
- I not want leave private key in RouterOS.
- I cannot bacth , or insert random ID.
With OpenSSL:
- PC is much quick with large key.
- I write batch file and program to generate random ID and insert it in SubjectAltName in certificate.

I also sustain your notes about "Issued" flag.

If Mikrotik can correct the "Authority" and "Issued" flag question, is not bad.


For the config, officially the binary config can be import in another RouterOS of same device type, so same hardware but different device.
https://wiki.mikrotik.com/wiki/Manual:System/Backup
Best regards.
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Mon Mar 30, 2020 3:53 am

Certificates is one thing in RouterOS that I never found intuitive, unlike other parts. I'm not sure what exactly it is. Now it's slightly better, because I got used to it, but still... When combined with backup problems (the all or nothing approach of current binary backup is simply not convenient), I try to avoid it and keep CAs outside of RouterOS.

One nice improvement would be some built-in templates for different kinds of certificates (CA, client, server, ...). Look at Key Usage tab, who should remember what exactly each type needs?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6001
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Wed Apr 01, 2020 9:34 am

This certificate have "Authority" flag and was show in WebFig under Certificate > Sign menu as CA and you can use to TRY to sign certificate, but you CANNOT sign another certificate because there is NOT the private key.
There is specific flag that indicates whether private key is imported no matter if there is A flag or not.

So to sum up:
* there is A flag that indicates if certificate is generated on the router and can be used to issue certificates
* there is K flag that indicates if certificate is decrypted with private key
* CA certificates without private key and authority flag can still be used for verification.
* certificates can be named to further indicate their role, for example: "CA_certprovider", SubCA_Certprovider etc.
 
luca1234567
just joined
Topic Author
Posts: 18
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Wed Apr 01, 2020 10:56 pm

From support: The "Authority" flag display the ability of certificate to sign another.
But it doesn't take away from the fact that this is a not good implementation because if you import a CA certificates without private key with Netscape Comment = "Generated by RouterOS".
This certificate have "Authority" flag and was show in WebFig under Certificate > Sign menu as CA and you can use to TRY to sign certificate, but you CANNOT sign another certificate because there is NOT the private key.
There is specific flag that indicates whether private key is imported no matter if there is A flag or not.
What I want to say is that if a CA certificate NOT have private key, must not be show in WebFig under Certificate > Sign menu as CA. Because it CANNOT sign another certificate.
This is a bug. To recreate:
- Generate CA self-signed certificate in RouterOS. It was show in WebFig under Certificate > Sign menu as CA.
- Export as Type=PEM with passphase. In files was create file .crt and .key
- Remove CA self-signed certificate in certificate menu.
- Import only .crt file. It was show with "Authority" flag and in WebFig under Certificate > Sign menu as CA. But OBVIOUSLY it CANNOT sign another certificate.


* there is A flag that indicates if certificate is generated on the router and can be used to issue certificates
I ask that the "Authority" flag that indicates if certificate can be used to issue/sign certificates.

Thank you
Best regards.

Who is online

Users browsing this forum: anav, EdPa, Zacharias and 69 guests