Community discussions

MikroTik App
 
janis
just joined
Topic Author
Posts: 15
Joined: Wed Oct 02, 2019 5:21 pm
Location: Riga, Latvia

Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)

Fri Sep 17, 2021 3:43 pm

Hello, im a bit lost.

The goal I want to achieve is seamless always-on VPN for remote users. Currently we have to manually configure VPN for every single box.

I have seen some promising tutorials using IKEv2 with Microsoft NPS as a RADIUS. If im correct both Mikrotik and NPS require valid authentication certificate. In our environment we have Windows CA, which I would preffer to use.
The question is how to properly issue certificates for NPS and Mikrotik? Should I request a new personal - Domain Controller Authentication certificate for NPS, and then convert the cert to .pem and install it on Mikrotik?

So far I haven't see how to configure IKEv2 using certificated from Windows CA, on all tutorials mikrotik self signed sertificates are being used (I want to handle both DHCP and authentication on Windows side)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)

Fri Sep 17, 2021 10:26 pm

You can create a certificate signing request on Mikrotik, get it signed by the Windows CA, and import the signed certificate to the Mikrotik, i.e. the proper way how certificates should be handled, where the private key never leaves the device that has generated it. The way with client certificates signed using a CA on the Mikrotik itself and imported to Windows clients is a simplification for people who don't know how to properly generate a CSR on Windows.

So create a certificate template on Mikrotik, with the proper key-usage value list, then create a CSR from that template (which requires entering a passphrase for the private key) - this will create two files, one with the CSR and another one with the private key. Then download the CSR, sign it with the Windows CA, upload the signed certificate back to the Mikrotik, import it, then import the private key from the file using the passphrase. Upload and import also the CA certificate.
 
janis
just joined
Topic Author
Posts: 15
Joined: Wed Oct 02, 2019 5:21 pm
Location: Riga, Latvia

Re: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)

Mon Sep 20, 2021 10:46 am

Thank you @sindy for the helpful guidance, will go that route right on.
 
janis
just joined
Topic Author
Posts: 15
Joined: Wed Oct 02, 2019 5:21 pm
Location: Riga, Latvia

Re: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)

Fri Oct 29, 2021 12:11 pm

Hello Sindy, everyone else

I have succesfully signed the NPS server and clients are autoenrolled using group policy, all certs are issued by Windows CA.
The thing I dont understand is what key usage should I use when requesting a cert for Mikrotik. Is there any documentation on that?

All tutorials Ive seen used Mikrotik as CA and 3 certificates are made: CA, Server and Client. To my understanding I dont need to sign server (NPS) and clients as they are already signed. Or by the server certificate they mean Mikrotik not the NPS server?

I want to achieve certification based VPN connection using IKEv2 + EAP.

I apoligize, if something was not understandable, this is a confusing topic for me. If so let me know, I'll try to rephrase it differently.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)

Fri Oct 29, 2021 2:14 pm

Mikrotik needs to find tls-client usage in the certificate presented by a Windows initiator. The Mikrotik manual says that for Mikrotik acting as a responder, it is enough that tls-server usage is set in its own certificate it presents to Windows initiators. As I am not sure whether Windows won't come with more requirements in future, I generate the certificates for Mikrotik responders also with ipsec-end-system and ipsec-tunnel usages.

Plus I don't know how the Latvian localization team of Microsoft handles that, but in my language, the key usage names presented in Microsoft certificate-related tools are localized in a confusing way, replacing "ipsec" by mere "security", so you may have to investigate a bit.

Regarding confusing - if you know how it works, it's not so confusing.

The device that proves its identity to another device using a certificate must have the private key to that certificate. The proper way is to generate a certificate signing request on that device, deliver the request to the certification authority, get it signed, and deliver the signed certificate back to the requesting device. As the private key never leaves the requesting device in this case, you can send the CSR and the signed certificate using open channels without compromising the security. But creating a CSR on a Windows machine is not an easy procedure; maybe it is easier for machines in a domain.

The device that verifies other device's identity using a certificate must trust the root certification authority of the chain of trust of the certificate being presented, i.e. the certificate of that root CA must be available in the certificate store of the verifying device.

Both the responder and the initiator work in both roles - each of them authenticates itself to the other one by presenting its own certificate, and checks the other one's authenticity by checking the certificate it has got from it against the locally stored root CA's certificate.

So unless you need to use the initiator's certificate as an identifier to find an /ip ipsec identity record, you need your own certificate and private key, and the root CA certificate that has signed the other one's certificate.

If you use the initiator's certificate as an identifier, you must have a local copy of it on the Mikrotik, of course without the private key.

And if you want to be able to deny access to stolen initiator devices by revoking their certificates before they expire, you have to make the Certificate Revocation List work. I've posted on that topic here on the forum recently; since in your case, the CA is not the Mikrotik responder itself, you have to make the CRL accessible using plain http on the actual CA so that the responder could periodically download it from there.
 
janis
just joined
Topic Author
Posts: 15
Joined: Wed Oct 02, 2019 5:21 pm
Location: Riga, Latvia

Re: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)  [SOLVED]

Thu Dec 09, 2021 10:33 am

Hello Sindy, thank you very much for your help and time. I was able to understand what certs are needed where, just was not sure how exactly should I do that, but I managed.

I was able to get the IPsec IKE2 + EAP (using certificates) VPN to work.

About certificates - in short I did what you suggested in the first reply.
  • I imported the CA chain certificate into the Mikrotik so that it "trusts" my Windows CA
  • Then I created a new certificate IN the Mikrotik with key-usage tls-server and as you mentioned I also added ipsec-end-system & ipsec-tunnel. Then generated a CSR from it, it also generated a PRIVATE key (more on that later).
  • CSR was generated in PEM format and unfortunately you cannot sign PEM CSR's in Windows CA, due to that I renamed PEM to TXT, however CA gave error that the CSR does not contain template information. After that, I opened the CSR using text editor and pasted the contents into CA Web enrollment service and signed it using Windows Subordinate Certification Authority template. After it was signed, I uploaded and imported it back to Mikrotik.
  • However I was missing one crucial piece, I did not import the private key that was made together with the CSR at the beggining. Due to that I had no private key found errors, after i figured that out client was able to connect.
  • For my client devices I created a certificate template in CA using Client Authentication, Secure Email, Encrypting File System purposes and then deployed them to clients via group policy

It is a little tricky and Im not sure whether I did everything correct so if you see something terribly wrong please chime in. Once again thank you, it all makes sense now.
Last edited by janis on Fri Dec 10, 2021 9:16 am, edited 3 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issue certificate from Windows CA for Mikrotik (Ikev2 VPN)

Thu Dec 09, 2021 12:25 pm

Nothing is terribly wrong. I forgot to tell you that you have to import the key generated during creation of the CSR once you import the signed certificate. Mikrotik can export existing certificates in both PEM and PKCS#12 formats, but not CSRs. So all the steps were necessary.

Who is online

Users browsing this forum: gkoleff, GoogleOther [Bot], outtahere and 60 guests