Community discussions

MikroTik App
 
foster04
just joined
Topic Author
Posts: 4
Joined: Fri Apr 29, 2022 9:05 pm

CSR for SSTP VPN

Fri Apr 29, 2022 9:09 pm

Hi,

There are a bunch of docs outlining how to setup SSTP with a self-signed SSL Certificate.
This however, would create additional steps for anyone who wishes to use the VPN services by having to add the certs into Windows.

I intend to deploy a valid (paid) ssl cert for the SSTP VPN.
The problem I am having is that there is no place where it is explained how to generate a CSR from Mikrotik.
I have used the openssl option from a Linux box, in order to get the certs signed by a CA. Is this a valid option?

If not, can anyone point me to the right direction, to a valid document outlining how this is done?

Thanks
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: CSR for SSTP VPN

Fri Apr 29, 2022 10:23 pm

Hi,
This is the way :d
/certificate create-certificate-request
Best document is F1 in terminal.
https://wiki.mikrotik.com/wiki/Manual:C ... rtificates
https://help.mikrotik.com/docs/display/ROS/Certificates

Although, MT Wiki has an OpenSSL method. I think other than the certificate sign there is no difference also most of the SSL resellers have a page to create CSR. The most important part is if you are running V7 you can use the Let's Encrypt certificate. one more thing if you running only windows and using self sing CERT if you have an active directory you can use GPO for certificate import or even remote/local PowerShell easily.
Add-VpnConnection -Name "SSTP" -ServerAddress "sstp.domain.xyz:443" -TunnelType "sstp" -AuthenticationMethod "MSChapv2"
Set-VpnConnection -Name "SSTP" -RememberCredential $True -SplitTunneling $False -EncryptionLevel Required -PassThru -Force
Set-VpnConnection -Name "SSTP" -MachineCertificateIssuerFilter 'C:\VPN\Certs\ca-sstp.domain.xyz.crt'
CERTUTIL -addstore -enterprise -f -v root "C:\VPN\Certs\ca-sstp.domain.xyz.crt"
CERTUTIL -f -p 1234567890 -importpfx "C:\VPN\Certs\sstp.domain.xyz.p12"
 
dashi
just joined
Posts: 1
Joined: Mon May 02, 2022 3:36 am

Re: CSR for SSTP VPN

Mon May 02, 2022 3:40 am

I was struggling with this for a long time too. It's actually very simple

Generate CSR and save/copy it into a txt or a .key file.
Download the certificate from SSL provider.

Upload these two files to mikrotik.
Imort the certificate file first, then import the key file. If this is successful, your certificate will have a status of K in front of it.

In PPP, SSTP server, set to use this certificate.

Now you can connect to the server simply using domain name + username/password
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CSR for SSTP VPN

Tue May 03, 2022 8:28 pm

The certificate-based security works best if the private key to the certificate doesn't ever leave the device that uses the certificate to prove its identity. So to create a CSR directly on the Mikrotik itself:
  1. create a /certificate item filled with the required key-usage, common-name, subject-alt name etc. fields using /certificate add name=xxxx ...
  2. use /certificate create-certificate-request template=xxxx; you will be prompted for a key-passphrase:, type in a passphrase for the private key carefully (there is no "type it again for verification"), you will need it to install the signed certificate later. This will create two files, certificate-request.pem and certificate-request_key.pem
  3. download the certificate-request.pem one and send it to the CA for signing; don't touch the certificate-request_key.pem one.
  4. once you receive the signed certificate from the CA, upload it to the Mikrotik into yet another file - say, mysignedcert.crt
  5. use /certificate import file-name=mysignedcert.crt to import the certificate itself first, responding with just [Enter] to the passphrase: prompt
  6. use /certificate import file-name=certificate-request_key.pem to import the private key to the certificate; this time, enter the passphrase you've entered in step 2. once prompted for it.
 
foster04
just joined
Topic Author
Posts: 4
Joined: Fri Apr 29, 2022 9:05 pm

Re: CSR for SSTP VPN

Wed May 04, 2022 7:04 am

Giving this another try today. Ill report back what works, with details.
 
foster04
just joined
Topic Author
Posts: 4
Joined: Fri Apr 29, 2022 9:05 pm

Re: CSR for SSTP VPN

Wed May 04, 2022 7:11 am

Dashi,

Have you done this with a single FQDN certificate or by any chance have you done that with a wildcard certificate.
Basically I already gave this a try, but it did not work.

Do I need to use any specific naming convention on the files I upload to the MT box?
This is what I did:
1. Generated a CSR with openssl on a Linux box. This creates two files: CSR which is used for CA to issue the Cert, and a .key file.
2. Uploaded both of those to the Mikrotik Box.
3. Uploaded the Cert I got from the CA as well.
4. imported all files, some names changed. (This is why I ask about any special naming convention for the filenames)
5. Configured the SSTP profile to use the cert.
6. Configured the Windows 10 pc to connect. It Failed doe to algorithm mismatch or something.

I will take it all from the start again tomorrow.
Thanks everyone for your replies.

Cheers
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: CSR for SSTP VPN

Fri May 06, 2022 10:19 am

4. imported all files, some names changed. (This is why I ask about any special naming convention for the filenames)
5. Configured the SSTP profile to use the cert.

The names of the files you upload to the MikroTik don't matter as the unit will pull the certificate information (including names) from the file contents and, yes, this can/will result in name changes when shown in the certificates list. Don't worry about it.

Configured the SSTP profile to use the cert: This is the tricky one.
  • I have seen cases where the connection only works when using the IP address rather than the FQDN and this is (usually) due to a mistake when generating the CSR. Since you got a cert back from the CA this isn't likely to be the problem.
  • You may need to upload, import and trust the CA's signing public certificate to the MikroTik before you can use the issued certificate properly. The CA should provide instructions on where to download their public certificate from.

Good luck.
 
foster04
just joined
Topic Author
Posts: 4
Joined: Fri Apr 29, 2022 9:05 pm

Re: CSR for SSTP VPN

Sat May 07, 2022 6:31 am

OK so, I got it working. Ill post my setup here (mistakes as well) and how I solved them.

A) My Setup:
1. Mikrotik with Valid (paid) Wilcard SSL Certificate.
2. No certificate on the client side.
3. No clients are registered on the Mikrotik, all users authenticate against a RADIUS Server. (This has NO effect on the SSL and Server Settings).
4. Each client gets a Public IP Address from the Mikrotik (No Nat, No Private IP Addresses)


B) The Server Setup.
1. Hostname: The server has to have a valid FQDN. In my case I use sstp01.domain.com. This needs to be done at System --> Identity.
2. DNS: The server must have Values on TWO places, the server itself at IP ----> DNS and at the PPP Profile Level. I used the "Default Encryption" profile. The Profile needs to have a DNS Server, otherwise when clients connect they will have a hard time resolving queries.
3. The PPP Profile has to have the "Use Encryption" set to yes. (at least in my setup)
4. The SSTP Server Tab is set to:
4.1 Port: 443
4.2 Max MTU and MRU: 1500 (defaults)
4.3 Authentication: mschap2 ONLY
4.4Other Checks: Force AES and PFS. NO client certificate verification.

C) Users / Secrets.
Since I am using a centralized system for this (FreeRADIUS backend and Daloradius as Frontend) I did not add any users/secrets here however, this should work just fine.
If anyone out there is trying to set this up against a radius server, make sure to:
1. On the PP Tab, Navigate to Secrets and then PPP Authentication & Accounting, here, just click on "Use Radius". Make sure Accounting is also selected.
2. On System ---> Users ---> AAA, check the "Use Radius" option.
3. On the RADIUS Tab, make sure you add your Radius Server there with all your Radius Info.

D) The Damn SSL Certificates.
This was the most difficult thing to setup because of the lack of documentation out there for PAID certificates. On top of that, I am using a Wilcard SSL Certificate, which makes things a bit trickier.

My Mistake: My FQDN at the start of this was sstp01.ch01.domain.com HOWEVER, this is wrong, the FQDN can only go back one level:
BAD FQDN: sstp01.ch01.domain.com
GOOD FQDN: sstp01.domain.com

Now, lets talk about the SSL itself.
1. Dont bother generating the SSL on the Mikrotik itself, at least for me is way easier doing it on a Linux box.
I know, some people will say to keep CSR (the Certificate Signing Request) file only on the box itself however, i think we can take care of the files without issues.
Command used to generate the CSR which will then be used to purchase the Certificate from a Certificate Authority (CA).
1.1 Command: openssl req -new -newkey rsa:2048 -nodes -keyout *.yourdomain.com.key -out sstp01.csr
1.2 You will use the CSR to purchase the SSL. Make sure to keep the Key file safe.
1.3 Next, you will need to upload TWO files to the Mikrotik Box: The Key File (in this case *.yourdomain.com.key) and the Certificate you got from the CA.
NOTE: If you are using a single host certificate, the file should be something like vpn.yourdomain.com.key instead of *.yourdomain.com.key
1.4 You can drag the files into the Mikrotik, or if you are using a Linux Box like me and that for some reason doesnt work, you can always FTP into your mikrotik and PUT the file there.
1.5 Once the files are uploaded, you must import them. Import the certificate you got from the CA FIRST, this is important, THEN after this, import your key.
1.6 After this is done, then go back to PPP ----> SSTP Server and make sure to select the certificate you just imported, to be used by the SSTP Server.

E) The Windows Client
I am using a Windows 10 VM to test this.
1. Create a VPN profile as you would normally do, use the FQDN you setup, not an IP Address and make sure to select SSTP as the protocol to be used.
2. Save your settings and Open the Network and Sharing Center, you will need to make a few modifications to the VPN profile you just created.
3. Right-Click on the SSTP profile and click on Propierties ---> Security. Make sure Encryption IS required and select mschap2 as the authentication protocol.

Thats it (i think i didint miss anything)

Enjoy

Who is online

Users browsing this forum: JDF and 94 guests