Community discussions

MikroTik App
 
markmcn
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Mikrotik generate CRL for revoked certs

Tue Jul 20, 2021 1:02 pm

Hi All,
I'm thinking of using the a ROS instance for generating all the cert's used for a VPN I look after. However If I set it up as a CA and generate certs for users this works no problem
I'm wondering if I revoke a user cert can I get the ROS instance to generate a CRL to publish for hosts to check.
Thanks you for taking the time to read.
Cheers
Mark
 
User avatar
jprietove
Trainer
Trainer
Posts: 212
Joined: Fri Jun 03, 2016 3:00 pm
Location: Cádiz, Spain
Contact:

Re: Mikrotik generate CRL for revoked certs

Tue Jul 20, 2021 3:07 pm

If your Certificate was generated including CA CRL Host, it should be accesible from http://<public_ip>/crl/<cert_id>.crl

With <cert_id> equal to an internal ID that I haven't found how to get it. But if the CA Certificate was the first created Certificate, it should be 1.

So try with http://your_ip/crl/1.crl, http://your_ip/crl/2.crl... and so on
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik generate CRL for revoked certs  [SOLVED]

Tue Jul 20, 2021 3:53 pm

For get internal ID (.id)
/certificate :put [pri as-value]
.id=*1;common-name=CAPsMAN-CA-.........................;.id=*2;common-name=CAPsMAN-.........................
the value is hexadecimal, must converted to decimal, for example

obviously the crl list file (as already wroted from @jprietove ) is created only for Certificate Authority

.id=*10 = http(s)://<any_routerboard_ip_where_www(-ssl)_service _is _active>/crl/16.crl
 
markmcn
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Re: Mikrotik generate CRL for revoked certs

Tue Jul 20, 2021 4:52 pm

Hi jprietove,
Thank you for the helpful reply I'll have a play with this in the lab, Appreciate you taking the time to reply
I'll try to update there with a lab example for others if time allows
Cheers
Mark

Who is online

Users browsing this forum: onnyloh, tim427 and 83 guests