Community discussions

MikroTik App
 
luca1234567
newbie
Topic Author
Posts: 31
Joined: Tue May 15, 2018 1:27 am
Contact:

Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Thu Mar 26, 2020 2:18 pm

Hello,

RoterBoard RB750Gr3 (HEXv3)
RouterOS v6.45.8
OpenSSL v1.1.1d

I want to import a CA self-signed certificate, with or without private key, in RouterOS and flagged as "Authority".

I use OpenSSL to genereate my Certificate Autority with a self-signed certificate with
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, keyCertSign

When I import it in RouterOS it not see as Authority.

By comparing the self-signed certificate generated by RouterOS, I test that if I add the Netscape Comment:
nsComment = "Generated by RouterOS"
It is correcty see as Autority in RouterOS.

So I think this is not correct because if there is this condition :
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
The certificate must be consider as CA, so be flagged as "Authority".

I thing sholud be correct to see "Authority" flag if a certificate have basicConstraints = CA:true, regardless that is a RoterOS generated or imported certificate.
This should be userfully to understand what certificate is used as CAs for other purposes, for example for the verify in Wifi-EAP-TLS, VPN-IPSec, etc.


I just contact support e-mail, and the reply:
Imported certificates will not show as authority simply for one reason, you are not allowed to sign certificates using imported CAs.
If you do not see "authrity" for certificate it does not mean that it will not work for other intended purposes.
I write:
If I import only the CA certificate without the private key, in any condition it is impossible to CA sign any other certificate.
And I not know a problem for to not allowed to sign certificates using imported CAs.
Support:
Problem with allowing to sing certificates with imported CAs is that device where CA is imported is not the origin. You cannot know on how many other devices this CA is imported and how many other certificates are signed by other copies of this CA. This is especially a problem when using CRLs.
I write:
As I describe in my first e-mail, if I create with OpenSSL a CA self-signed certificate with Netscape Comment = "Generated by RouterOS".
I import it without private key on RouterOS. RouterOS see certificate with flag "Autority".
Support:
Setting Comment to be able to generate certificates is a hack. if you know this then good, but the reason why we do not show CAs as CAs is the same as mentioned previously. And yes of course if you do not have private key you cannot sign anyway and that makes even less sense why CA flag is important.
I write:
The problem is that to have in RouterOS the "Authority" flag in the certificate archive for all CA certificate (these with basicConstraints = CA:true). For imported or RouterOS generated, with and without Netscape Comment = "Generated by RouterOS".
Can you remove the limitation of Netscape Comment = "Generated by RouterOS" in new release?
Support:
But as mentioned previously several times absence of A flag does not affect imported CA functionality (e.g verification works properly).
I think that they will not want to correct this implementation.



So I ask pubblic to Mikrotik to implements correction.
Who other confirm this request ?


Hi
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Thu Mar 26, 2020 7:39 pm

It looks like MikroTik reserves "Authority" for own CAs capable of issuing certificates. I guess it could be better if they had some other flag for it, and "Authority" would be for all CAs, so you would be able to quickly tell them from regular certificates. But it's just a cosmetic thing. Or do you see some functional problem?
 
luca1234567
newbie
Topic Author
Posts: 31
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Fri Mar 27, 2020 12:43 am

The "Authority" flag is very userfully to directly see in the certificates list in RouterOS, what certificate was consider "Certification Authority" by RouterOS.
And understand if something not function during configuration of service.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Fri Mar 27, 2020 1:13 am

I agree that it would be useful to see the difference between (external) CA and regular certificate without opening certificate properties, but current behaviour doesn't really break anything, right?
 
luca1234567
newbie
Topic Author
Posts: 31
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Fri Mar 27, 2020 10:38 am

It seems the functionality it is ok, and I test it.

From support: The "Authority" flag display the ability of certificate to sign another.
But it doesn't take away from the fact that this is a not good implementation because if you import a CA certificates without private key with Netscape Comment = "Generated by RouterOS".
This certificate have "Authority" flag and was show in WebFig under Certificate > Sign menu as CA and you can use to TRY to sign certificate, but you CANNOT sign another certificate because there is NOT the private key.

So I ask to correct, also in low priority, as the next:
- To indicate the imported certificate may be added flag "Imported", not a result of Netscape Comment = "Generated by RouterOS", but a internal status bit in RouterOS config.
- Remove the condition Netscape Comment = "Generated by RouterOS" of "Authority" flag.
- The certificate show in WebFig under Certificate > Sign menu as CA, and can be use, may be certificate with "Authority" and "Private key" flag.

May be a correct request?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Fri Mar 27, 2020 7:20 pm

I wouldn't worry too much about RouterOS CA without key. It's a corner case. It can only happen when you transfer RouterOS CA from one device to another. And when you need that, you should know what you're doing and tranfer it with private key.

Then as I already wrote, it would be nice for all CA certificates to have some flag to indicate that.

Comment hack seems ok to me. If you export RouterOS CA from one device and import it to another, it's recognized as such and you can use it to issue new certificates (I didn't test it, but I guess they should work). If you need new one, you can generate it in RouterOS. Only problem would be if you already had existing non-RouterOS CA elsewhere and you wanted to move it to RouterOS and use it to issue new certificates. But it seems very unlikely.

A nice feature would be ability to completely move RouterOS CA from one device to another, i.e. including the list of issued and revoked certificates. When you issue certificate, it has "issued" flag. When you export everything and import it to other device, the flag is no longer there. I guess it could be done if you make backup on one device and restore it to another. But backups are officially only for same device. And even if they can be restored to another, it will restore whole config, not just things related to certificates, so it's not an option for device with own config that you need to keep.
 
luca1234567
newbie
Topic Author
Posts: 31
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Mon Mar 30, 2020 1:03 am

I have also test that import the CA self-signed certificate generated with OpenSSL and Netscape Comment = "Generated by RouterOS", it can be used to sign another certificare by RouterOS. It work OK.

I not like generate/sign certificate in RouterOS because:
- It is slow, for example with key length of 8192bit.
- I not want leave private key in RouterOS.
- I cannot bacth , or insert random ID.
With OpenSSL:
- PC is much quick with large key.
- I write batch file and program to generate random ID and insert it in SubjectAltName in certificate.

I also sustain your notes about "Issued" flag.

If Mikrotik can correct the "Authority" and "Issued" flag question, is not bad.


For the config, officially the binary config can be import in another RouterOS of same device type, so same hardware but different device.
https://wiki.mikrotik.com/wiki/Manual:System/Backup
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Mon Mar 30, 2020 3:53 am

Certificates is one thing in RouterOS that I never found intuitive, unlike other parts. I'm not sure what exactly it is. Now it's slightly better, because I got used to it, but still... When combined with backup problems (the all or nothing approach of current binary backup is simply not convenient), I try to avoid it and keep CAs outside of RouterOS.

One nice improvement would be some built-in templates for different kinds of certificates (CA, client, server, ...). Look at Key Usage tab, who should remember what exactly each type needs?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Wed Apr 01, 2020 9:34 am

This certificate have "Authority" flag and was show in WebFig under Certificate > Sign menu as CA and you can use to TRY to sign certificate, but you CANNOT sign another certificate because there is NOT the private key.
There is specific flag that indicates whether private key is imported no matter if there is A flag or not.

So to sum up:
* there is A flag that indicates if certificate is generated on the router and can be used to issue certificates
* there is K flag that indicates if certificate is decrypted with private key
* CA certificates without private key and authority flag can still be used for verification.
* certificates can be named to further indicate their role, for example: "CA_certprovider", SubCA_Certprovider etc.
 
luca1234567
newbie
Topic Author
Posts: 31
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Wed Apr 01, 2020 10:56 pm

From support: The "Authority" flag display the ability of certificate to sign another.
But it doesn't take away from the fact that this is a not good implementation because if you import a CA certificates without private key with Netscape Comment = "Generated by RouterOS".
This certificate have "Authority" flag and was show in WebFig under Certificate > Sign menu as CA and you can use to TRY to sign certificate, but you CANNOT sign another certificate because there is NOT the private key.
There is specific flag that indicates whether private key is imported no matter if there is A flag or not.
What I want to say is that if a CA certificate NOT have private key, must not be show in WebFig under Certificate > Sign menu as CA. Because it CANNOT sign another certificate.
This is a bug. To recreate:
- Generate CA self-signed certificate in RouterOS. It was show in WebFig under Certificate > Sign menu as CA.
- Export as Type=PEM with passphase. In files was create file .crt and .key
- Remove CA self-signed certificate in certificate menu.
- Import only .crt file. It was show with "Authority" flag and in WebFig under Certificate > Sign menu as CA. But OBVIOUSLY it CANNOT sign another certificate.


* there is A flag that indicates if certificate is generated on the router and can be used to issue certificates
I ask that the "Authority" flag that indicates if certificate can be used to issue/sign certificates.

Thank you
 
iw2ngg
just joined
Posts: 5
Joined: Mon Dec 10, 2018 2:41 pm

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Wed Jun 03, 2020 3:12 pm

I agree that it would be useful to see the difference between (external) CA and regular certificate without opening certificate properties, but current behaviour doesn't really break anything, right?
CA certificates without 'A' flag cannot be used to check client certificates in open-vpn server ("require client certificate" option).
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Thu Jun 04, 2020 1:41 pm

This is simply not true.
 
User avatar
Dix
just joined
Posts: 6
Joined: Sat Jun 02, 2018 3:10 am

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Wed Jun 09, 2021 1:44 am

Hello,

RoterBoard RB750Gr3 (HEXv3)
RouterOS v6.45.8
OpenSSL v1.1.1d

By comparing the self-signed certificate generated by RouterOS, I test that if I add the Netscape Comment:
nsComment = "Generated by RouterOS"
It is correcty see as Autority in RouterOS.
thx for detailed post, helped a lot in the question
RouterOS v6.48.2 still working
 
User avatar
Phenek
just joined
Posts: 6
Joined: Tue Oct 03, 2023 11:05 am

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Tue Oct 03, 2023 11:23 am

Thx @luca1234567 for your thread

I just added the KeyCertSign, CrlSign flags and the nsComment in my CAs certificat request,
and it works like a charm!

I mean my CAs is interpreted by RouterOs as a CA certificate. ✅

In C#
var request = new CertificateRequest(
    issuer,
    rsa,
    HashAlgorithmName.SHA256,
    RSASignaturePadding.Pkcs1
);

request.CertificateExtensions.Add(
    new X509BasicConstraintsExtension(
       certificateAuthority: true,
       hasPathLengthConstraint: true,
       pathLengthConstraint: 0,
       critical: true
   )
);

// Adding the KeyCertSign and CrlSign flags
request.CertificateExtensions.Add(
    new X509KeyUsageExtension(
        X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
        critical: true
    )
);

// Adding the nsComment "Generated by RouterOS"
var nsCommentAsBytes = System.Text.Encoding.ASCII.GetBytes("Generated by RouterOS");
var nsCommentExtension = new X509Extension("2.16.840.1.113730.1.13", nsCommentAsBytes, false);
request.CertificateExtensions.Add(nsCommentExtension);
-----

Thanks all for your time, you made my day!
Last edited by Phenek on Tue Oct 03, 2023 11:31 am, edited 1 time in total.
 
doctor12th
newbie
Posts: 38
Joined: Sat Nov 14, 2015 2:07 pm

Re: Correction request : Authority flag for Import CA Certificate Autority in RouterOS

Sun Oct 29, 2023 4:02 pm

Thx @luca1234567 for your thread

I just added the KeyCertSign, CrlSign flags and the nsComment in my CAs certificat request,
and it works like a charm!

I mean my CAs is interpreted by RouterOs as a CA certificate. ✅

In C#
var request = new CertificateRequest(
    issuer,
    rsa,
    HashAlgorithmName.SHA256,
    RSASignaturePadding.Pkcs1
);

request.CertificateExtensions.Add(
    new X509BasicConstraintsExtension(
       certificateAuthority: true,
       hasPathLengthConstraint: true,
       pathLengthConstraint: 0,
       critical: true
   )
);

// Adding the KeyCertSign and CrlSign flags
request.CertificateExtensions.Add(
    new X509KeyUsageExtension(
        X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
        critical: true
    )
);

// Adding the nsComment "Generated by RouterOS"
var nsCommentAsBytes = System.Text.Encoding.ASCII.GetBytes("Generated by RouterOS");
var nsCommentExtension = new X509Extension("2.16.840.1.113730.1.13", nsCommentAsBytes, false);
request.CertificateExtensions.Add(nsCommentExtension);
-----

Thanks all for your time, you made my day!
Hello,
i tried to put the ans comment but the certificate is not imported as authority.

Have you tried on 7.11?

Who is online

Users browsing this forum: Google [Bot], lurker888 and 64 guests