Community discussions

MikroTik App
 
jaceqp123
just joined
Topic Author
Posts: 20
Joined: Wed Mar 01, 2017 4:42 pm

Moving SSTP (vpn) CA certificate to another MT

Fri Feb 19, 2021 2:04 pm

Hi there.
I've deployed some MT's as SSTP vpn servers for home office etc.
There are no client certificates - just CA + server cert. In order to successfully setup VPN connection CA cert needs to be installed on clients OS.

Now I wonder if both CA+server certificates can be easily backuped and restored on another MT in case of routers failure. Creating CA includes self-signing then server cert needs to be signed with CA. So are they still valid after migration?
If changing MT requires to generate new certificates that forces to append CA on all clients aswell :/
 
tdw
Forum Veteran
Forum Veteran
Posts: 712
Joined: Sat May 05, 2018 11:55 am

Re: Moving SSTP (vpn) CA certificate to another MT

Fri Feb 19, 2021 3:05 pm

The certificate store can be backed up and restored on the same Mikrotik, but not to a different one.

It is possible to make a backup which can be restored to something else by exporting a certificate in PKCS12 format so the private key is exported too, see export-certificate in https://wiki.mikrotik.com/wiki/Manual:S ... neral_Menu. However, I recall there have been some reports that if a CRL has been specified it just doesn't work, it is probably safest to create and manage the certificates elsewhere and import the CA cert, server cert & key to the Mikrotik.

You can just use openssl, however there are various open source scripts (e.g. easy-rsa) and graphical interfaces (e.g. KeyStore Explorer) which can make certificate management easier

Who is online

Users browsing this forum: Google [Bot] and 130 guests