Community discussions

MikroTik App
 
lozio84
just joined
Topic Author
Posts: 10
Joined: Thu Dec 31, 2020 11:14 am

VPN Server: Migrate certificates to new hardware

Mon Jan 11, 2021 11:43 pm

Good evening everyone!
I have a working OVPN server built on an RB 2011, now I would like to upgrade the hardware by installing an RB1036. Of course I would like to copy the certificates generated by the old platform to avoid having to reconfigure all clients. I tried exporting the CA.crt, server.crt files and client certificates. I imported them to the new server but there is something wrong because it doesn't work.

What is the correct procedure for exporting all certificates of the VPN SERVER and making them work on another machine?

I created the files on the old server using the following example:
/certificate add name=CA country="IT" state="IT"
common-name="CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign CA ca-crl-host=127.0.0.1 name="CA"

/certificate add name=server country="IT" state="IT"
common-name="server" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign server ca="CA" name="server"

/certificate add name=client country="IT" state="IT"
common-name="client" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign client ca="CA" name="client"
Thanks
 
tdw
Long time Member
Long time Member
Posts: 640
Joined: Sat May 05, 2018 11:55 am

Re: VPN Server: Migrate certificates to new hardware

Tue Jan 12, 2021 12:02 am

You certainly have to export the certificates as a bundle in PKCS12 format so the private keys are exported too, see export-certificate in https://wiki.mikrotik.com/wiki/Manual:S ... neral_Menu

I recall there have been some reports that if a CRL has been specified (as in your example) it just doesn't work.
 
Sob
Forum Guru
Forum Guru
Posts: 6484
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Server: Migrate certificates to new hardware

Tue Jan 12, 2021 3:06 am

AFAIK certificates are transferrable, but the relation between RouterOS CA and issued certificates is not. So for example if you'd want to revoke some, you can't. Binary backup should contain everything, but it's not meant for different device models. I think it's bad, but so far it doesn't seem to be a problem for MikroTik.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
lozio84
just joined
Topic Author
Posts: 10
Joined: Thu Dec 31, 2020 11:14 am

Re: VPN Server: Migrate certificates to new hardware

Tue Jan 12, 2021 5:02 pm

Thanks for the reply!
So if i set up a new server from 0 and create the certificates without CRL i could then export them and reload them in a new machine in case of hardware problems?
 
Sob
Forum Guru
Forum Guru
Posts: 6484
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Server: Migrate certificates to new hardware

Tue Jan 12, 2021 6:52 pm

I'm not sure about details, so it's probably best to test it yourself. In case you don't have free spare device, you can use CHR (RouterOS VM; free version is enough).
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
lozio84
just joined
Topic Author
Posts: 10
Joined: Thu Dec 31, 2020 11:14 am

Re: VPN Server: Migrate certificates to new hardware

Wed Jan 13, 2021 10:57 pm

In your opinion .. is it better, a physical machine like an rb1036 or a virtual machine( with CHR and with adequate resources), to manage a server to route VPN?
it will have to manage about 150 VPNs between sstp and ovpn

because thinking about it .. using the virtual machine I would not have the problem of certificates if the machine died and I had to recreate it from a backup.
 
Sob
Forum Guru
Forum Guru
Posts: 6484
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Server: Migrate certificates to new hardware

Wed Jan 13, 2021 11:26 pm

That's not question for me, you need someone who has experience with performance of different devices. I just mentioned CHR as a simple way how to test transfers of certificates between different devices.

Also, unless you need to generate certificates directly on router for any reason, you can always do it externally (using for example XCA or some other tool), and this particular problem will go away.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
lozio84
just joined
Topic Author
Posts: 10
Joined: Thu Dec 31, 2020 11:14 am

Re: VPN Server: Migrate certificates to new hardware

Sun Jan 17, 2021 3:21 pm

Thank you very much for your reply
I will try with a program for generating certificates and I will also test the portability on multiple platforms of the certificates generated by mikrotik then I will let you know
 
WhatItsGonna
just joined
Posts: 2
Joined: Sun Jan 17, 2021 8:50 pm
Location: USA.NY

Re: VPN Server: Migrate certificates to new hardware

Sun Jan 17, 2021 8:56 pm

Thank you very much for your reply
I will try with a program for generating certificates and I will also test the portability on multiple platforms of the certificates generated by mikrotik then I will let you know
HI! Any news? also moving to a new hardware xd
 
Sob
Forum Guru
Forum Guru
Posts: 6484
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Server: Migrate certificates to new hardware

Sun Jan 17, 2021 10:41 pm

Certificates generated by RouterOS are like any other certificates, i.e. they are fine. Only transferring whole RouterOS CA between devices is... let's say unfinished.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.

Who is online

Users browsing this forum: Baidu [Spider], CZFan, erkexzcx and 174 guests