Community discussions

MikroTik App
 
User avatar
s00hr7
just joined
Topic Author
Posts: 2
Joined: Thu May 20, 2021 9:22 pm

EAP-TLS does not work with verify-certificate-with-crl

Tue Jul 06, 2021 6:39 pm

Hey folks,

until recently I ran a Hex S, which I used to generate my home-used certificates and which also served as CAPsMAN. I used EAP-TLS with the generated certificates and was using " verify-certificate-with-crl" as the TLS mode. Everything was working fine.

Then I wanted to switch to a more powerful router and got an RB4011 (without wifi). I exported and imported the certificates and realized that the CRL function didn't work anymore, since... well because apparently there is no way to move certificates between router boards with the whole PKI intact. Using EAP-TLS without the possibility to revoke certificates doesn't make much sense, so I decided to set up my own PKI on a separate system using CFSSL.

After importing them (I imported the whole certificate chain: Certificates, CA and intermediate CA) everything looked fine:
/certificate print detail
...
 9 KL    T name="accesspoint.home.lan.p12_0" issuer="xxx" digest-algorithm=sha256 key-type=rsa 
           country="XX" state="XXX" locality="XXX" organization="XXX" unit="server" common-name="accesspoint.home.lan" key-size=2048 
           subject-alt-name=DNS:accesspoint.home.lan,IP:192.168.0.1 days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,tls-server 
           serial-number="XXX" fingerprint="XXX" 
           akid=XXX skid=XXX invalid-before=jun/28/2021 22:53:00 invalid-after=jun/26/2031 22:53:00 
           expires-after=520w2d5h32m3s 
...
And I could see that the CRL was successfully downloaded and evaluated.
/certificate crl print detail 
Flags: E - expired, D - dynamic, I - invalid 
 0  D  cert=accesspoint.home.lan.p12_0 url="http://myserver/crl" revoked=0 next-update=jul/06/2021 20:44:39 last-update=jul/05/2021 16:54:08 
       fingerprint="xxx" 
       signature="xxx" 

 1  D  cert=NetworkCA url="http://myserver/crl" revoked=0 next-update=jul/06/2021 20:44:39 last-update=jul/05/2021 16:54:08 
       fingerprint="xxx" 
       signature="xxx" 
I started rolling out the new certificates and tested them successfully with the following security profile:
 3 name="XXX" authentication-types=wpa2-eap encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m eap-methods=eap-tls tls-mode=verify-certificate 
   tls-certificate=accesspoint.home.lan.p12_0 
But as soon as I switch to "verify-certificate-with-crl" I am not able to connect anymore and just see this in the logs:
XX:XX:XX:XX:XX:XX@SSID disconnected, EAP failure
I don't see anything else in the logs, so I have no idea how to debug this further. The CRL is showing up with 0 revoked certificates, so this should just work fine. Any pointer on where to look here would be super useful!

P.S.
I run 6.48.3 and:
/certificate settings print
  crl-download: yes
  crl-use: yes
  crl-store: ram

Who is online

Users browsing this forum: itamx and 76 guests