Community discussions

MUM Europe 2020
 
flatbat
newbie
Topic Author
Posts: 48
Joined: Tue Apr 06, 2010 11:18 pm

Replacing CAPsMAN

Wed Nov 25, 2015 7:20 pm

We have a CAPsMAN with 'auto'-generated CA and certificate, and lots of CAPs also with certificates requested from the CAPsMAN but without 'Lock To CAPsMAN'.

We need to replace the router running CAPsMAN with another larger model. How do we manage the certificates?
I'm sure it would work to log in to each CAP and remove the certificates and restart the CAP client to make them request a new certificate from the new CAPsMAN, but we would like to avoid that.

We also tried to export the CA client from the old CAPsMAN and import it into the new, but in the new CAPsMAN it only shows the 'T'-flag for trusted, and not 'KA'

Is it supposed to be possible, and what is then the correct procedure to replace the CAPsMAN?
 
Mplsguy
MikroTik Support
MikroTik Support
Posts: 226
Joined: Fri Jun 06, 2008 5:06 pm

Re: Replacing CAPsMAN

Thu Nov 26, 2015 4:08 pm

Auto-generated CA certificate on CAPsMAN is quick and dirty way to get you up and running with certificates. It would be better to implement more advanced PKI for devices in your authority, e.g:
- generate root CA certificate, keep it somewhere safe, not on any CAPsMAN
- issue CA certificate signed by root for each CAPsMAN, install on each CAPsMAN along with trusted root CA
- have CAPs trust your root CA (*)

Now CAPsMAN can sign certificate requests from CAPs with its sub-CA. CAPs will connect to any CAPsMAN with certificate signed by root CA, and CAPsMAN will accept CAPs with certificates generated by any CAPsMAN, provided that CAP certificate chain ends with trusted root CA.

Unfortunately at the moment (*) from the above does not happen automatically - CAPsMAN sends only its own CA certificate to CAP when signing certificate request (CAP installs this CA certificate as trusted). Sending complete CA chain to CAP can be considered for implementation.

BUT

There is also quick and dirty way to do what you want - just export the certificate on your old CAPsMAN along with its private key. You do this by: /cert export-certificate 0 export-passphrase=12345678, it will generate 2 files - certificate and key. Then import it in new CAPsMAN. Beware - auto-generated certificates include device's MAC address in CommonName. Currently this is not being checked, but this can change.
 
JorgeAmaral
Trainer
Trainer
Posts: 199
Joined: Wed Mar 04, 2009 11:53 pm
Location: /ip route add type=blackhole

Re: Replacing CAPsMAN

Fri Jan 08, 2016 1:39 am

Auto-generated CA certificate on CAPsMAN is quick and dirty way to get you up and running with certificates. It would be better to implement more advanced PKI for devices in your authority, e.g:
- generate root CA certificate, keep it somewhere safe, not on any CAPsMAN
- issue CA certificate signed by root for each CAPsMAN, install on each CAPsMAN along with trusted root CA
- have CAPs trust your root CA (*)

Now CAPsMAN can sign certificate requests from CAPs with its sub-CA. CAPs will connect to any CAPsMAN with certificate signed by root CA, and CAPsMAN will accept CAPs with certificates generated by any CAPsMAN, provided that CAP certificate chain ends with trusted root CA.

Unfortunately at the moment (*) from the above does not happen automatically - CAPsMAN sends only its own CA certificate to CAP when signing certificate request (CAP installs this CA certificate as trusted). Sending complete CA chain to CAP can be considered for implementation.

BUT

There is also quick and dirty way to do what you want - just export the certificate on your old CAPsMAN along with its private key. You do this by: /cert export-certificate 0 export-passphrase=12345678, it will generate 2 files - certificate and key. Then import it in new CAPsMAN. Beware - auto-generated certificates include device's MAC address in CommonName. Currently this is not being checked, but this can change.
Hello M,

Do you know any trick to import the trusted root CA in recent versions of ROS 6.28+?

I need to upgrade an RB2011 to RB3011 and the import of the trusted root CA goes successfully but it´s not recognized as an CA. It has only KT flags and misses the A flag. Inside CAPs manager when selecting the CA it does not appear.
 
lobo83
just joined
Posts: 4
Joined: Tue Sep 08, 2015 5:11 pm

Re: Replacing CAPsMAN

Wed Jan 13, 2016 5:54 pm

I am in the same situation, we need a secondary capsmanager in case of failure, tried to import the autogenerated certificate to the secondary manager but only KT flags appear. Tried to create my CA manually following this steps:
http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates

At the primary router shows with KLAT flags, after "successful" export to the secondary only appear TL flags...

Could you explain further the steps we need to follow in order to have PKI infraestructure able to work with 2 Capsmanager,

Thank you very much
 
Mplsguy
MikroTik Support
MikroTik Support
Posts: 226
Joined: Fri Jun 06, 2008 5:06 pm

Re: Replacing CAPsMAN

Wed Feb 03, 2016 5:54 pm

Unfortunately importing CA certificate with ability to sign certificates was not possible, like you explain. This was disabled deliberately so that user does not start signing certificates with CA on multiple devices that would produce conflicting sequence numbers. This has been relaxed so that you can import CA certificates generated by RouterOS. 6.34 has this feature.
 
User avatar
rushlife
Member Candidate
Member Candidate
Posts: 105
Joined: Thu Nov 05, 2015 12:30 pm
Location: czech republic

Re: Replacing CAPsMAN

Tue Jul 17, 2018 11:07 am

Hi guys,
it is there some workaround to move capsman to another / more powerful / device ?
Let's say I have capsman on rb3011 and I wanna move this to some CCR hw...
How I can do this ?
 
User avatar
rushlife
Member Candidate
Member Candidate
Posts: 105
Joined: Thu Nov 05, 2015 12:30 pm
Location: czech republic

Re: Replacing CAPsMAN

Wed Jul 25, 2018 12:00 am

up up
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Replacing CAPsMAN

Wed Jul 25, 2018 12:39 am

Export configuration and import it in the newer device?
Real admins use real keyboards.
 
User avatar
rushlife
Member Candidate
Member Candidate
Posts: 105
Joined: Thu Nov 05, 2015 12:30 pm
Location: czech republic

Re: Replacing CAPsMAN

Fri Jul 27, 2018 8:41 am

ok but what about cerfs ?

Who is online

Users browsing this forum: No registered users and 36 guests