Hi there.
I've deployed some MT's as SSTP vpn servers for home office etc.
There are no client certificates - just CA + server cert. In order to successfully setup VPN connection CA cert needs to be installed on clients OS.

Now I wonder if both CA+server certificates can be easily backuped and restored on another MT in case of routers failure. Creating CA includes self-signing then server cert needs to be signed with CA. So are they still valid after migration?
If changing MT requires to generate new certificates that forces to append CA on all clients aswell :/

The certificate store can be backed up and restored on the same Mikrotik, but not to a different one.

It is possible to make a backup which can be restored to something else by exporting a certificate in PKCS12 format so the private key is exported too, see export-certificate in https://wiki.mikrotik.com/wiki/Manual:S ... neral_Menu. However, I recall there have been some reports that if a CRL has been specified it just doesn't work, it is probably safest to create and manage the certificates elsewhere and import the CA cert, server cert & key to the Mikrotik.

You can just use openssl, however there are various open source scripts (e.g. easy-rsa) and graphical interfaces (e.g. KeyStore Explorer) which can make certificate management easier