Community discussions

MikroTik App
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Problem with PKI in a newer version of RouterOS

Sat Sep 10, 2022 1:03 pm

My config worked for years before the release 7.5beta5.
Version 7.5beta8 with its changes on "fixed handling of empty AKID by SCEP client" brought problems.
I have installed the latest version of RouterOS on two VM - IKEv2 Responder and Initiator (any ROS >= 7.5beta8 fresh install from OVA file).

r1
/certificate add name="r1-ca" common-name="r1-ca" key-size=prime256v1 key-usage=key-cert-sign,crl-sign
/certificate sign "r1-ca"
/certificate add name="r1" common-name="192.168.2.14" subject-alt-name="IP:192.168.2.14" key-size=prime256v1 key-usage=digital-signature,content-commitment,key-encipherment,key-agreement,tls-server
/certificate sign "r1" ca="r1-ca"
/certificate add name="r1-r2" common-name="r1-r2" subject-alt-name="email:r1-r2" key-size=prime256v1 key-usage=digital-signature,key-encipherment,data-encipherment,key-agreement,tls-client
/certificate sign "r1-r2" ca="r1-ca"
/certificate export-certificate r1-ca file-name=r1-ca
/certificate export-certificate r1 file-name=r1
/certificate export-certificate r1-r2 file-name=r1-r2 type=pkcs12 export-passphrase=passphrase
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1 generate-policy=port-strict match-by=certificate mode-config=r1-r2 peer=peer1 policy-template-group=group1 remote-certificate=r1-r2

r2
/certificate/import file-name="r1-ca.crt" name="r1-ca" passphrase=""
/certificate/import file-name="r1.crt" name="r1" passphrase=""
/certificate/import file-name="r1-r2.p12" name="r1-r2" passphrase="passphrase"
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1-r2 generate-policy=port-strict match-by=certificate mode-config=cfg1 my-id=dn peer=peer1 policy-template-group=group1 remote-certificate=r1

Result:
r1:
unable to get local issuer certificate(20) at depth:0 cert:CN=r1-r2
can't verify peer's certificate from store

r2:
got fatal error: AUTHENTICATION_FAILED
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: Problem with PKI in a newer version of RouterOS

Mon Sep 19, 2022 2:22 pm

On fresh install 7.6beta7 issue is reproduced. Please, fix it.
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: Problem with PKI in a newer version of RouterOS

Sun Sep 25, 2022 11:36 am

It seems that on fresh install 7.6beta8 issue is not reproduced. Thank you.
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: Problem with PKI in a newer version of RouterOS

Sat Oct 01, 2022 12:55 pm

On fresh install 7.6beta10 issue is reproduced. Please, fix it again.
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: Problem with PKI in a newer version of RouterOS

Sun Oct 09, 2022 3:15 pm

On fresh install 7.6rc1 issue with import certificate for CAPsMAN. Please, fix it.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], gigabyte091, onnyloh and 74 guests