Hello team!
I have a SSTP VPN with CA and Server certificates working in a Mikrotik
I need to transfer certificates to another hardware which will be a backup (So both sould work)
Have exported both certificates in the first mikrotik using password
Copied the files to the second mikrotik
Imported both CRTs files in second mikrotik
Renamed certificates in second mikrotik to match the names in the first mikrotik
At this point, CA Certificate has only the "AT" flags and Server Certificate has only the flag "T"
In the first Mikrotik, CA Certificate has "KAT" flags and Server Certificate has "KIT" flags
I need to sign again the certificates?
If I try to sign it, appears the following error: "Couldn't start - At least one field specifying certificate name should be set!"
If I open each certificate in winbox gui, click the "Import" buton and select each key file, appears the "K" flag on both
Server certificate still without the "I" flag, wich I think is because is not issued yet in this Mikrotik
I need to do something else make it work?
Thanks in advance!
Regards
Damián
Re: Question about moving certificates to another mikrotik [SOLVED]
Try exporting .backup and reimport it on similar hardware.
I do not remember if .backup export also certificates,
but is perfectly logical than a CA exist only one time...
I do not remember if .backup export also certificates,
but is perfectly logical than a CA exist only one time...
Re: Question about moving certificates to another mikrotik
I didn't test it lately, but AFAIK there's no good solution for this. Backup should have everything, so you should be able to restore it on another device (even if it's not exactly supported) and get certificates including their relations (when they are issued by CA on RouterOS). But better test it, if you want to be 100% sure. But if you want to have live backup, where both devices are active (perhaps with some small config differences) and only synchronize certificates, I don't think it can be done. You can export and import certificates and keys individually, but relations will be lost, so e.g. revoking certificate originally issued on another device won't work. My current solution is to use external CA (XCA is nice tool).
Re: Question about moving certificates to another mikrotik
Thanks a lot to both!!!!
The second Mikrotik is RB1100x4 the first Mikrotik is RB1100x4 Dude edition
I dont know why I had used export without trying backup
Just tried backup and worked, at least everything is like in first Mikrotik (I cant test the VPN yet)
Regards,
Damián
The second Mikrotik is RB1100x4 the first Mikrotik is RB1100x4 Dude edition
I dont know why I had used export without trying backup
Just tried backup and worked, at least everything is like in first Mikrotik (I cant test the VPN yet)
Regards,
Damián
Re: Question about moving certificates to another mikrotik
remember to restore all etehrnet, bridge and tunnel MAC for do not have duplicated MAC!!!
how to: do an /export and see inside all the "cloned" MAC.
For ethernet/sfp/qsfp you can simply do:
for wireless (not present on 1100) is more complicated,
but for all tunnels that needs MAC, must be manually changed,
and on bridges also the administrative-mac-addess must be aligned with the right MAC for the first ethernet (or the tunnel) interface
how to: do an /export and see inside all the "cloned" MAC.
For ethernet/sfp/qsfp you can simply do:
Code: Select all
/int eth reset-mac-address [find]but for all tunnels that needs MAC, must be manually changed,
and on bridges also the administrative-mac-addess must be aligned with the right MAC for the first ethernet (or the tunnel) interface
Re: Question about moving certificates to another mikrotik
Thanks, I already did this.
Just I did not know the "[find]" part, I had to write all interface names xD
Regards,
Damián
Just I did not know the "[find]" part, I had to write all interface names xD
Regards,
Damián
Who is online
Users browsing this forum: Google [Bot] and 40 guests