RouterOS can not store just keys, it stores certificates and adds the key when available. This is what happens if you import client.pem:
- Private key -> no matching certificate -> ignored
- Certificate -> imported
- Certificate -> imported
Then on second import:
- Private key -> matching certificate found -> imported
- Certificate -> already available -> ignored
- Certificate -> already available -> ignored
But this is easy to fix: The PEM file has to contain the certificate and key blocks in correct order, certificates first, keys last. Then import works in one go:
- Certificate -> imported
- Certificate -> imported
- Private key -> matching certificate found -> imported
Make sure the file looks something like this:
-----BEGIN CERTIFICATE-----
MIIFIjCCA...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFfTC...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,1B58971ECA6D3DD4
Qv2MUB2odq...
-----END RSA PRIVATE KEY-----