Community discussions

MikroTik App
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Updating CA root certs regularly

Fri Nov 27, 2020 1:58 pm

What is the best way to update CA root certs? I am running the script below every 7 days but I wondered if there is a better way to work out if they actually *need* updating before downloading, deleting and replacing certs every week.

Also - can running this every week damage flash RAM (or whatever memory is inside it).
{
  :do {
      /tool fetch url=https://mkcert.org/generate/ check-certificate=yes dst-path=cacert.pem;
      /certificate remove [find];
      /certificate import file-name=cacert.pem passphrase="";
      /file remove cacert.pem;
      :log info ("Updated certificate trust store");
  } on-error={
      :log error ("Failed to update certificate trust store");
  };
}
 
pe1chl
Forum Guru
Forum Guru
Posts: 7176
Joined: Mon Jun 08, 2015 12:09 pm

Re: Updating CA root certs regularly

Fri Nov 27, 2020 2:23 pm

Completely unnecessary to update them that often! Once every 3 months should be more than enough, maybe even once per year.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Updating CA root certs regularly

Fri Nov 27, 2020 2:27 pm

Completely unnecessary to update them that often! Once every 3 months should be more than enough, maybe even once per year.
ok, thanks
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 738
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Updating CA root certs regularly

Fri Nov 27, 2020 7:10 pm

No need to remove all certificates... You could just remove the expired ones to clean up.
/certificate remove [ find where authority expired ];
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Updating CA root certs regularly

Sat Nov 28, 2020 3:31 pm

No need to remove all certificates... You could just remove the expired ones to clean up.
/certificate remove [ find where authority expired ];
Thanks - will the certificate import command then only import the new ones or will it write them all again?
/certificate import file-name=cacert.pem passphrase="";
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Updating CA root certs regularly

Sat Nov 28, 2020 3:32 pm

Completely unnecessary to update them that often! Once every 3 months should be more than enough, maybe even once per year.
So if I run 3 monthly and a cert expires the day after the last script run then potentially I wait 3 months for this remote site to update root certs so the dynamic DNS IP update script can run via https.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7176
Joined: Mon Jun 08, 2015 12:09 pm

Re: Updating CA root certs regularly

Sat Nov 28, 2020 3:47 pm

It would be very bad practice for a certificate issuer to update their root certs only the day before they expire!
Remember all certs issued to clients depend on the root cert to be valid at least as long as the issued certificate.
As these are valid often for a year, the new root cert should be issued at least a year before the old one expires.
And these are usually valid for 10 years or so.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Updating CA root certs regularly

Sat Nov 28, 2020 3:49 pm

That makes perfect sense! Thanks.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 133
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Updating CA root certs regularly

Sat Nov 28, 2020 3:52 pm

I will run this every 6months then. Is there any way to only import the certs that expired or will this import all and overwrite existing certs?
{
  :do {
      /tool fetch url=https://mkcert.org/generate/ check-certificate=yes dst-path=cacert.pem;
      /certificate remove [ find where authority expired ];
      /certificate import file-name=cacert.pem passphrase="";
      /file remove cacert.pem;
      :log info ("Updated certificate trust store");
  } on-error={
      :log error ("Failed to update certificate trust store");
  };
}
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 738
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Updating CA root certs regularly  [SOLVED]

Sun Nov 29, 2020 1:10 am

Certificates that do not change are untouched. Have a look at the import output, it should give some numbers.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts

Who is online

Users browsing this forum: No registered users and 30 guests