Page 1 of 1

VPN Server: Migrate certificates to new hardware

Posted: Mon Jan 11, 2021 11:43 pm
by lozio84
Good evening everyone!
I have a working OVPN server built on an RB 2011, now I would like to upgrade the hardware by installing an RB1036. Of course I would like to copy the certificates generated by the old platform to avoid having to reconfigure all clients. I tried exporting the CA.crt, server.crt files and client certificates. I imported them to the new server but there is something wrong because it doesn't work.

What is the correct procedure for exporting all certificates of the VPN SERVER and making them work on another machine?

I created the files on the old server using the following example:
/certificate add name=CA country="IT" state="IT"
common-name="CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign CA ca-crl-host=127.0.0.1 name="CA"

/certificate add name=server country="IT" state="IT"
common-name="server" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign server ca="CA" name="server"

/certificate add name=client country="IT" state="IT"
common-name="client" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign client ca="CA" name="client"
Thanks

Re: VPN Server: Migrate certificates to new hardware

Posted: Tue Jan 12, 2021 12:02 am
by tdw
You certainly have to export the certificates as a bundle in PKCS12 format so the private keys are exported too, see export-certificate in https://wiki.mikrotik.com/wiki/Manual:S ... neral_Menu

I recall there have been some reports that if a CRL has been specified (as in your example) it just doesn't work.

Re: VPN Server: Migrate certificates to new hardware

Posted: Tue Jan 12, 2021 3:06 am
by Sob
AFAIK certificates are transferrable, but the relation between RouterOS CA and issued certificates is not. So for example if you'd want to revoke some, you can't. Binary backup should contain everything, but it's not meant for different device models. I think it's bad, but so far it doesn't seem to be a problem for MikroTik.

Re: VPN Server: Migrate certificates to new hardware

Posted: Tue Jan 12, 2021 5:02 pm
by lozio84
Thanks for the reply!
So if i set up a new server from 0 and create the certificates without CRL i could then export them and reload them in a new machine in case of hardware problems?

Re: VPN Server: Migrate certificates to new hardware

Posted: Tue Jan 12, 2021 6:52 pm
by Sob
I'm not sure about details, so it's probably best to test it yourself. In case you don't have free spare device, you can use CHR (RouterOS VM; free version is enough).

Re: VPN Server: Migrate certificates to new hardware

Posted: Wed Jan 13, 2021 10:57 pm
by lozio84
In your opinion .. is it better, a physical machine like an rb1036 or a virtual machine( with CHR and with adequate resources), to manage a server to route VPN?
it will have to manage about 150 VPNs between sstp and ovpn

because thinking about it .. using the virtual machine I would not have the problem of certificates if the machine died and I had to recreate it from a backup.

Re: VPN Server: Migrate certificates to new hardware

Posted: Wed Jan 13, 2021 11:26 pm
by Sob
That's not question for me, you need someone who has experience with performance of different devices. I just mentioned CHR as a simple way how to test transfers of certificates between different devices.

Also, unless you need to generate certificates directly on router for any reason, you can always do it externally (using for example XCA or some other tool), and this particular problem will go away.