Community discussions

MikroTik App
 
fwedvteam
just joined
Topic Author
Posts: 5
Joined: Fri Jan 13, 2023 3:30 pm

Certificate Key Import not possible on v7.7

Fri Jan 13, 2023 3:47 pm

Hello,

starting with RouterOS 7.7 i am not able to import a certificate key. The certificate is created with EasyRSA that we use a long time ago. I can import the certicate successfuly but not the key. With ROS 7.6 it works without any problems.
I got no error, it does nothing.
There are changes to certificate import in the changelog. Could it be a bug? How can i find out, where the problem is?

Tell me if you need some more details.

Thans a lot!

Best regards
Frank
 
kalderista
just joined
Posts: 1
Joined: Mon Jan 16, 2023 1:58 pm

Re: Certificate Key Import not possible on v7.7

Mon Jan 16, 2023 2:00 pm

Hi,

I have same issue too. :(

Regards
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1616
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Certificate Key Import not possible on v7.7

Mon Jan 16, 2023 6:44 pm

What kind of algorithms do you use? Starting from the RouterOS v7.7 some of the very old mechanisms as, for example, pkcs#7 encryption method "pbeWithSHA1And40BitRC2", are not supported, since nowadays they can not be considered as "secure".
 
fwedvteam
just joined
Topic Author
Posts: 5
Joined: Fri Jan 13, 2023 3:30 pm

Re: Certificate Key Import not possible on v7.7

Tue Jan 17, 2023 10:33 am

Hi,

thanks for your reply. We are using "sha256RSA"

Best regards
Frank
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Certificate Key Import not possible on v7.7

Tue Jan 17, 2023 12:17 pm

Works for me... So this is not a general problem with RouterOS 7.7. Can you give more detail on your certificate?
 
fwedvteam
just joined
Topic Author
Posts: 5
Joined: Fri Jan 13, 2023 3:30 pm

Re: Certificate Key Import not possible on v7.7

Tue Jan 17, 2023 1:53 pm

Works for me... So this is not a general problem with RouterOS 7.7. Can you give more detail on your certificate?
I can, but tell me what you need. If it's not clear, we have no issues with the certificate, only with the Key.
 
RichieB
just joined
Posts: 1
Joined: Wed Jan 18, 2023 6:56 pm

Re: Certificate Key Import not possible on v7.7

Wed Jan 18, 2023 7:31 pm

We were seeing the same problems with certificates generated by EasyRSA. Up to v7.6 no issues, starting the v7.7 they refuse to import. The output is:
> /certificate import file-name="test.p12" name="test" passphrase=1234
     certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 1
  keys-with-no-certificate: 0
EasyRSA uses OpenSSL to generate the p12 files with the default PKCS#12 algorithms. This gives:
# openssl pkcs12 -in test.p12 -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: 56 48 D7 2B F7 AA D7 4A 4A DB 80 16 90 D1 38 F9 C7 5C A3 44
    friendlyName: my test
subject=/CN=test
issuer=/CN=test CA  
As stated above pbeWithSHA1And40BitRC2-CBC is no longer supported in v7.7. The solution is to change the ciphers in the OpenSSL pkcs12 export:
$ openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES ....
$ openssl pkcs12 -in test.p12 -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: 56 48 D7 2B F7 AA D7 4A 4A DB 80 16 90 D1 38 F9 C7 5C A3 44 
    friendlyName: my test
subject=/CN=test
issuer=/CN=test CA  
For EasyRSA you can set this in the appropriate line of the easyrsa script:
pkcs_opts="-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES"
 
fwedvteam
just joined
Topic Author
Posts: 5
Joined: Fri Jan 13, 2023 3:30 pm

Re: Certificate Key Import not possible on v7.7

Thu Jan 19, 2023 10:36 am

We do not have PKCS12, we use x509 Certificate with RSA key.
Signature Algorithm: sha256WithRSAEncryption
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
 
fwedvteam
just joined
Topic Author
Posts: 5
Joined: Fri Jan 13, 2023 3:30 pm

Re: Certificate Key Import not possible on v7.7

Fri Feb 03, 2023 4:02 pm

For me it's working again with routeros-7.8beta3.

Thanks!
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Certificate Key Import not possible on v7.7

Fri Feb 03, 2023 9:10 pm

That's good news. Looks like I found a case where it is failing for me as well... Any chance we will see this in something like version 7.7.2?
 
User avatar
depth0cert
just joined
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: Certificate Key Import not possible on v7.7

Sat Feb 04, 2023 4:36 pm

What kind of algorithms do you use? Starting from the RouterOS v7.7 some of the very old mechanisms as, for example, pkcs#7 encryption method "pbeWithSHA1And40BitRC2", are not supported, since nowadays they can not be considered as "secure".

SUP-106766 private-keys-imported: 0

NETINSTALLED 7.8beta3

[admin@MikroTik] > /certificate add common-name=r1-ca days-valid=3652 key-size=prime256v1 key-usage=key-cert-sign,crl-sign name=r1-ca subject-alt-name=email:r1-ca
[admin@MikroTik] > :do {/certificate sign [find name=r1-ca] name=r1-ca} on-error={:delay 3}
  progress: done
[admin@MikroTik] > /certificate export-certificate r1-ca file-name=r1-ca export-passphrase=passphrase type=pem
[admin@MikroTik] > /certificate remove r1-ca
[admin@MikroTik] > /certificate import file-name=r1-ca.crt name=r1-ca passphrase=passphrase
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0
[admin@MikroTik] > /certificate import file-name=r1-ca.key name=r1-ca passphrase=passphrase
     certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0
 
SergioGC
just joined
Posts: 7
Joined: Tue Jan 24, 2023 12:03 pm

Re: Certificate Key Import not possible on v7.7

Sat Feb 04, 2023 7:11 pm

I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
 
KeitaroBR
just joined
Posts: 2
Joined: Wed Oct 26, 2022 3:56 pm

Re: Certificate Key Import not possible on v7.7

Sat Feb 18, 2023 2:25 am

I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
This worked for me as well!
 
User avatar
arnaldo
newbie
Posts: 45
Joined: Wed Sep 21, 2016 2:38 am
Location: localhost.localdomain

Re: Certificate Key Import not possible on v7.7

Wed Feb 22, 2023 7:13 pm

I was also having problems importing certificates+key in PKCS#12 format, using a file generated by OpenSSL from PEM files with key and certificate (Lets Encrypt - using a script that is a few years old).

I can confirm that the by default OpenSSL will use pbeWithSHA1And40BitRC2 unless RC2 is disabled or -descert option is used. By using -descert the resulting PKCS#12 file uses pbeWithSHA1And3-KeyTripleDES that is (still) accepted by ROS 7.7.

Knowing that pbeWithSHA1And40BitRC2 is no longer accepted was key. A small fix in my script and voila!
 
MetUys
newbie
Posts: 31
Joined: Mon Mar 17, 2014 1:19 pm

Re: Certificate Key Import not possible on v7.7

Mon Mar 06, 2023 2:20 pm

I'm having the same problem. just implemented two new Mikrotiks freshly done with netinstall to v7.8.
I'm using the Posh-ACME service (targeting ZeroSSL) to generate the certificates on another machine and those are being put onto the units to be imported. I have updated to the latest version and have added the "-UseModernPfxEncryption" to the certificate generation process, but I am still running into the issue.
When I import the certificate files (pfx full chain + key file) it gives me this output:
     certificates-imported: 0     
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 1
Where am I going wrong?

PS: key file imports, its the pfx that is now not importing (did on previous versions).
 
sebus46
newbie
Posts: 31
Joined: Sat Jun 17, 2023 4:59 pm

Re: Certificate Key Import not possible on v7.7

Sat Jun 17, 2023 5:37 pm

I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
Lets Encrypt client 0.38 le64.exe

The created crt does indeed have 2 blank lines at the very end

That was not a problem ever up to 6.48.7
Now upgraded to RB4011 which came with factory 7.8 and these 2 lines cause issue of not importing crt (but also not failing explicitly)

Once removed, the import works again. IMO that is a bug

sebus
 
venc0r
just joined
Posts: 1
Joined: Sun Jul 16, 2023 3:50 pm

Re: Certificate Key Import not possible on v7.7

Sun Jul 16, 2023 4:00 pm

I cloud not import the root ca cert of let's encrypt (ISRG Root X1). In my case I had to covert the file to unix line endings, the downloaded one had windows.
  model: RB960PGS
  revision: r2
  firmware-type: qca9550L
  factory-firmware: 6.44.6
  current-firmware: 7.10.1
  upgrade-firmware: 7.10.1

This can be done in any good editor, in my case vim
:set fileformat=unix


to save and quit in vim
:x
 
Milan
just joined
Posts: 21
Joined: Tue Mar 05, 2013 3:34 am

Re: Certificate Key Import not possible on v7.7

Thu Aug 24, 2023 11:32 am

I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
Same problem here. Will try to update to v7.11 where some certificate bugs are fixed (as mentioned in changelog).
 
iotstool
just joined
Posts: 1
Joined: Fri Mar 17, 2023 12:08 pm

Re: Certificate Key Import not possible on v7.7

Tue Jan 09, 2024 10:32 pm

Error that RouterOS v. 7.13.1 does not import certificate with CRLF line endings (in editor visible as ^M$) seems to be persist. My *.pem file was downloaded with Firefox browser on linux system.

I've converted line endings with vim and all is ok.

Who is online

Users browsing this forum: anav, dinosgb, JDF and 98 guests