Community discussions

MikroTik App
 
check
just joined
Topic Author
Posts: 4
Joined: Fri Jul 03, 2015 11:03 am

Revoked certificates contunue to work

Fri Jul 03, 2015 11:20 am

ROS 6.27
Enabled OpenVpn Server. "Require Client Certificate" checkbox - enabled
All certificates (ca,server and client) generated by ROS (System-Certificates)
Openvpn client (Windows GUI) connect successfully.

I revoked client certificate - button "Revoke" (System-Certificates)
Status of that client certificate changed from "KIT" to "KRT"
But openvpn client (Windows GUI) still can connect to Mikrotik OpenVPN server using that revoked certificate.
Is this normal?
Maybe i need wait some time? If so - how can i force revoked certificate to stop working.

Thanx
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6345
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Revoked certificates contunue to work

Fri Jul 03, 2015 3:37 pm

Did you set CRL while creating CA?
 
check
just joined
Topic Author
Posts: 4
Joined: Fri Jul 03, 2015 11:03 am

Re: Revoked certificates contunue to work

Fri Jul 03, 2015 3:44 pm

No.
Can i ask you to give me the most freshest link from mirkotik-wiki about "How to set CRL"
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6345
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Revoked certificates contunue to work

Fri Jul 03, 2015 3:47 pm

This should work
http://wiki.mikrotik.com/wiki/Manual:Cr ... n_RouterOS

Also here is an example of certificate and revoke usage
http://wiki.mikrotik.com/wiki/Manual:IP ... rtificates
 
huntah
Member Candidate
Member Candidate
Posts: 280
Joined: Tue Sep 09, 2008 3:24 pm

Re: Revoked certificates contunue to work

Fri Jul 03, 2015 4:06 pm

Can I join and ask what is this host in Wiki (http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates):

/certificate sign ca-template ca-crl-host=10.5.101.16 name=myCa

Is this Router IP (public or internal).. which ports on ip firewall filter must be opened to work?
I cannot find anywhere more documentation on this..

Or should I setup a WEB server and put CRL list (file) on this server..

Thank You!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6345
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Revoked certificates contunue to work

Fri Jul 03, 2015 4:33 pm

It can be mikrotik router or any other web server where you host CRL.
 
check
just joined
Topic Author
Posts: 4
Joined: Fri Jul 03, 2015 11:03 am

Re: Revoked certificates contunue to work

Fri Jul 03, 2015 4:43 pm

Thank you very much
 
vbarinov
just joined
Posts: 2
Joined: Mon Aug 10, 2020 6:06 pm

Re: Revoked certificates contunue to work

Mon Aug 10, 2020 7:54 pm

What IP address should be set up as CRL when CA certificate generated? Internal 192.168..., 127.0.0.1, or external?
I set up external one and it's not working. Revoked certificate still works.
 
vbarinov
just joined
Posts: 2
Joined: Mon Aug 10, 2020 6:06 pm

Re: Revoked certificates contunue to work

Tue Aug 11, 2020 6:37 pm

Ok, Last try - 127.0.0.1 - the same thing, revoked certificate still works.
Upgraded to 7.1beta1 - the same thing.
 
sindy
Forum Guru
Forum Guru
Posts: 7907
Joined: Mon Dec 04, 2017 9:19 pm

Re: Revoked certificates contunue to work

Tue Aug 11, 2020 11:32 pm

The party which evaluates the certificate presented by a remote peer must be able to download the CRL from a web server, and the CA must be able to update it there with new revocations. So if you use 127.0.0.1, I assume you have colocated the CA, the VPN server which evaluates the clients' certificates, and the CRL server all on a single machine. In that case, the /ip service "www" must be enabled on the machine, and the firewall must permit incoming connections to TCP port 80 at least from 127.0.0.1.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Deantwo
Member
Member
Posts: 320
Joined: Tue Sep 30, 2014 4:07 pm

Re: Revoked certificates contunue to work

Tue Sep 08, 2020 2:20 pm

And I am to understand that setting the ca-crl-host is only possible when signing the CA certificate?
So the 4 year old self-signed certificate I have been using will have to be trashed and a new CA created if I want to add a ca-crl-host?

I already had the pleasure of having to run with two separate CA certificates 4 years ago when I migrated to the current CA certificate. I would really hate to have to do this again, since it requires me to run the new CA certificate on a separate router, because the router's OpenVPN server can only have one server certificate at a time.

Any solution at all to solving this without making a totally new CA certificate? Or at least an easier migration method so the currently issued certificates don't all have to be changed at once?
I wish my FTP was FTL.
 
sindy
Forum Guru
Forum Guru
Posts: 7907
Joined: Mon Dec 04, 2017 9:19 pm

Re: Revoked certificates contunue to work

Wed Oct 13, 2021 11:40 pm

Ok, Last try - 127.0.0.1 - the same thing, revoked certificate still works.
Upgraded to 7.1beta1 - the same thing.
So I've returned to this and found that the old (wiki) manual is really insufficient, and the new (Confluence) one even misleading, as it tells you to self-sign all certificates. The normal procedure is to create a Certification Authority (CA) certificate, which is self-signed, and use it to sign all the certificates to be used by servers and clients.

The following is tested on a CHR running ROS 6.47.9.

While signing the CA certificate, you can specify an IP address or FQDN to be used to create the complete url of the CRL to be included into the contents of the CA certificate to be generated, using the ca-crl-host parameter. Unless you plan for a more complex setup, it must be one of the own IP addresses of the router that acts as the CA, or an FQDN resolving to one of that router's own addresses. To learn what the resulting url actually is, you have to export the CA certificate and use some certificate viewer. E.g. when I have specified ca-crl-host=crl.home.me, the resulting url became http://crl.home.me/crl/23.crl; apparently, the number is the sequence number of a certificate to be signed by that router, no matter whether a CA one or any other one. This file is generated by the router, and updated each time you revoke a certificate signed by that CA, but it is not accessible in the file tree.

You can provide a comma-separated list of IP addresses or FQDNs, but only the first one on the list is actually used - there's just a single URL in the certificate.

In contrary to what I have seen on a screenshot in some related post on another forum, the link to that file doesn't dynamically appear in the /certificate crl table on the router itself; you have to add it manually, using the fingerprint of the CA certificate and the url extracted from it, same like for a CRL of any external CA you want the router to use.

You also have to set crl-download and crl-use to yes under /certificate settings.

And it's only now that the router itself, when acting e.g. as an IPsec responder, is able to check whether the initiator's certificaters are not revoked;

The above is enough to let a router, acting as both a VPN server and a CA, reject incoming connections from clients presenting a revoked certificate. But if the CA is not colocated with the VPN server, the VPN server must be able to fetch the CRL from the CA, and in the ideal world, so should be the clients because the server may hypothetically get stolen too.

Unfortunately, you currently cannot separate the http server used to serve the CRL from the http server used for management access. So if you want to narrow the access to management while keeping access to the CRL widely open, you have to use layer7-protocol regexps to validate the url in the GET packets and eventually reset connections attempting to access other files from other than permitted sources.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Semrush [Bot] and 60 guests