Community discussions

MikroTik App
 
User avatar
bekax5
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Ovpn - verify server certificate issue

Sun Jun 06, 2021 7:01 pm

Hello everyone,

I configured an OpenVPN server and client between two Mikrotik devices.

I created CA, server1 and client1 certificates.
Require Client certificate works as intended (connection established && connected), however "Verify Server Certificate" doesn't (TLS failed).
Client has CA certificate imported with LAT flags, and client1 certificate with KT.
Server has CA certificate created by itself with KLAT and server1 with KIT.

Does anyone know what "Verify Server Certificate" tries to check?
I'm surely missing some item in the checklist of this verification..
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Ovpn - verify server certificate issue

Sun Jun 06, 2021 7:38 pm

Can the client Mikrotik check the CRL as you have L flags on the certificates?

With certificates and keys generated using OpenSSL with no CRL, then importing CA certificate to server & clients Mikrotiks (has T flag) and importing server certificate to server Mikrotik (has KT flags) works, not using client certificates in this case. The client Mikrotik checks the CA for the server is present in its local certificate store.
 
User avatar
bekax5
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Re: Ovpn - verify server certificate issue

Sun Jun 06, 2021 11:45 pm

Can the client Mikrotik check the CRL as you have L flags on the certificates?

With certificates and keys generated using OpenSSL with no CRL, then importing CA certificate to server & clients Mikrotiks (has T flag) and importing server certificate to server Mikrotik (has KT flags) works, not using client certificates in this case. The client Mikrotik checks the CA for the server is present in its local certificate store.
I believe it does.. Any tip on how to check that?
I think I just exported CA without any passphrase, and after imported in the client that got LAT. Should it be different ?

I might have made a mistake in some step.. I guess the safe way to go is to try to generate new certs all over again.
By the way, all the certs were generated in Mikrotik RB3011 running v6.44rc4 and imported for hEXS v6.44.6 client.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Ovpn - verify server certificate issue

Mon Jun 07, 2021 6:07 pm

AFAIK Mikrotik abuse the A flag somewhat - it only appears on CAs generated on a Mikrotik, not on those generated elsewhere and imported. If you generate a CA certificate on one Mikrotik, export it without key, then import onto another Mikrotik the flags are AT (without a CRL) or LAT (with a CRL).

I've skipped CRLs for small setups with self-signed certificates so I'm not sure how to check the CRL status or Make the Mikrotik not check.

Another thing to check is that the VPN client and server Mikrotiks have the correct time so they consider the certificates to be useable (must be between 'invalid before' and 'invalid after')
 
User avatar
bekax5
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Re: Ovpn - verify server certificate issue

Tue Jun 08, 2021 8:59 pm

I am still unable...
Client is still not being able to "verify server certificate" and fails with TLS Failed.

In server:
1. I create CA certificate with "key cert sign" and "crl sign" (KLAT).
2. Sign the certificate with public domain name in CA CRL Host.
3. Create server certificate.
4. Sign the server certificate with CA (tried both with and without CA CRL Host).
5. Make server certificate trusted (KIT).
6. Apply server certificate to OVPN Server.
7. Export CA certificate without passphrase type PEM.

In Client:
1. Import CA certificate (LAT)
2. Try to connect to server and get TLS Failed
(Disable "Verify Server Certificate" and client connects successfully.)

Am I doing something wrong ?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Ovpn - verify server certificate issue

Tue Jun 08, 2021 11:02 pm

3. Create server certificate.
with which key usage flags?

In Client:
1. Import CA certificate (LAT)
When importing the CA created without a CRL host I would expect the flags to be AT
 
User avatar
bekax5
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Re: Ovpn - verify server certificate issue

Wed Jun 09, 2021 1:41 am

3. Create server certificate.
with which key usage flags?

In Client:
1. Import CA certificate (LAT)
When importing the CA created without a CRL host I would expect the flags to be AT
server certificate with: "digital signature", "key encipherment" and "tls server".

CA was signed with CA CRL Host (my public domain name).
And then imported in the ovpn client.
 
User avatar
bekax5
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Re: Ovpn - verify server certificate issue  [SOLVED]

Wed Jun 09, 2021 8:08 am

Ended up changing CA CRL Host from public domain name to local IP and it started working.

I thought this had to be the public but seems I was wrong.

I'm pretty new to certs, but does any client or server use common-name or subject alt name for anything ? Or is this just a random string?
I mean, if I use domain names for common-name or subject alt. name they won't be used against auth to guarantee it's the correct server being connected to, for example ?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Ovpn - verify server certificate issue

Wed Jun 09, 2021 9:05 am

use this

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2

/certificate
sign ca-template ca-crl-host=1.2.3.4 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2

Gateway ip of the Router. ca-crl-host=1.2.3.4

/certificate
set myCa trusted=yes
set server trusted=yes

/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx

betwene MikroTik works well, but with windows it's so annoying, setting that OpenVPN on winows takes loooot of time.

ipsec.ike2 its right choice for me
 
User avatar
bekax5
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Re: Ovpn - verify server certificate issue

Wed Jun 09, 2021 9:28 am

I got it working, thanks!

It was a misconfiguration with CA CRL Host.
I was using public domain instead of gateway IP as you suggested.

I'm also trying to understand if CN and SAN are used for anything?
Or are they just random strings that could be ignored...
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Ovpn - verify server certificate issue

Wed Jun 09, 2021 1:20 pm

If you provide a CRL host it should actually serve a CRL, otherwise there is no point specifying it. Also, from a number of forum posts a number of people have found that using the 'server' Mikrotik address or loopback IP for a CRL is fine until you replace that Mikrotik, when despite importing backup copies of certificates and keys they no longer work.

The Common Name (CN) depends on the context in which the certificate is going to be used - it can be some descriptive text, the name of a person, an email address, but typically a fully-qualified domain name of a client or server engaging in SSL/TLS communications.

The Subject Alternative Name (SAN) allows multiple alternate identifiers of specific types to also be included, often used to include DNS names for a web server hosting multiple domains for one organisation, or an IP address in self-signed certificates.

Whilst Mikrotik have not provided a check for OpenVPN client connections, with SSTP client connections there is a verify-server-address-from-certificate option which makes the client check the hostname or IP connected to matches one present in the host certificate.
 
User avatar
bekax5
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Re: Ovpn - verify server certificate issue

Fri Jun 11, 2021 1:33 pm

If you provide a CRL host it should actually serve a CRL, otherwise there is no point specifying it. Also, from a number of forum posts a number of people have found that using the 'server' Mikrotik address or loopback IP for a CRL is fine until you replace that Mikrotik, when despite importing backup copies of certificates and keys they no longer work.

The Common Name (CN) depends on the context in which the certificate is going to be used - it can be some descriptive text, the name of a person, an email address, but typically a fully-qualified domain name of a client or server engaging in SSL/TLS communications.

The Subject Alternative Name (SAN) allows multiple alternate identifiers of specific types to also be included, often used to include DNS names for a web server hosting multiple domains for one organisation, or an IP address in self-signed certificates.

Whilst Mikrotik have not provided a check for OpenVPN client connections, with SSTP client connections there is a verify-server-address-from-certificate option which makes the client check the hostname or IP connected to matches one present in the host certificate.
Awesome!
Thanks a lot for the explanation, that was exactly what I was looking for.
It was also not clear for me if there could be some verification for OVPN. It is now.

Who is online

Users browsing this forum: GoogleOther [Bot] and 90 guests