RoterBoard RB750Gr3 (HEXv3)
RouterOS v6.45.8
OpenSSL v1.1.1d
I want to import a CA self-signed certificate, with or without private key, in RouterOS and flagged as "Authority".
I use OpenSSL to genereate my Certificate Autority with a self-signed certificate with
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, keyCertSign
When I import it in RouterOS it not see as Authority.
By comparing the self-signed certificate generated by RouterOS, I test that if I add the Netscape Comment:
nsComment = "Generated by RouterOS"
It is correcty see as Autority in RouterOS.
So I think this is not correct because if there is this condition :
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
The certificate must be consider as CA, so be flagged as "Authority".
I thing sholud be correct to see "Authority" flag if a certificate have basicConstraints = CA:true, regardless that is a RoterOS generated or imported certificate.
This should be userfully to understand what certificate is used as CAs for other purposes, for example for the verify in Wifi-EAP-TLS, VPN-IPSec, etc.
I just contact support e-mail, and the reply:
I write:Imported certificates will not show as authority simply for one reason, you are not allowed to sign certificates using imported CAs.
If you do not see "authrity" for certificate it does not mean that it will not work for other intended purposes.
Support:If I import only the CA certificate without the private key, in any condition it is impossible to CA sign any other certificate.
And I not know a problem for to not allowed to sign certificates using imported CAs.
I write:Problem with allowing to sing certificates with imported CAs is that device where CA is imported is not the origin. You cannot know on how many other devices this CA is imported and how many other certificates are signed by other copies of this CA. This is especially a problem when using CRLs.
Support:As I describe in my first e-mail, if I create with OpenSSL a CA self-signed certificate with Netscape Comment = "Generated by RouterOS".
I import it without private key on RouterOS. RouterOS see certificate with flag "Autority".
I write:Setting Comment to be able to generate certificates is a hack. if you know this then good, but the reason why we do not show CAs as CAs is the same as mentioned previously. And yes of course if you do not have private key you cannot sign anyway and that makes even less sense why CA flag is important.
Support:The problem is that to have in RouterOS the "Authority" flag in the certificate archive for all CA certificate (these with basicConstraints = CA:true). For imported or RouterOS generated, with and without Netscape Comment = "Generated by RouterOS".
Can you remove the limitation of Netscape Comment = "Generated by RouterOS" in new release?
I think that they will not want to correct this implementation.But as mentioned previously several times absence of A flag does not affect imported CA functionality (e.g verification works properly).
So I ask pubblic to Mikrotik to implements correction.
Who other confirm this request ?
Hi