Community discussions

MikroTik App
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Problem with PKI in a newer version of CAPsMAN

Mon Oct 17, 2022 1:25 pm

My config worked for years before the release 7.6beta10 (7.6beta10, 7.6rc1, 7.6rc2, 7.6rc3 with issue, 7.6beta8 without issue).
Version 7.6beta10 with its changes on "certificate - improved certificate management, signing and storing processes" brought problems.
I'm importing only .crt file of CA-Certificate for CAPsMAN (clean fresh install - netinstall or VHDX, VMDK, VDI, OVA), i not want save CA private key in router.
The support did not reproduce the console history and just said - "Does it still work if you enable the key after importing the certificate? It should work". (SUP-95194).

[admin@MikroTik] > /certificate add name="r1-ca" common-name="r1-ca" subject-alt-name="email:r1-ca" key-size=2048 key-usage=key-cert-sign,crl-sign
[admin@MikroTik] > /certificate sign "r1-ca"
  progress: done

[admin@MikroTik] > /certificate add name="r1" common-name="192.168.2.14" subject-alt-name="IP:192.168.2.14" key-size=2048 key-usage=digital-signature,content-commitment,key-encipherment,key-agreement,tls-s
erver
[admin@MikroTik] > /certificate sign "r1" ca="r1-ca"
  progress: done

[admin@MikroTik] > /certificate export-certificate r1-ca file-name=r1-ca export-passphrase=passphrase type=pem
[admin@MikroTik] > /certificate export-certificate r1 file-name=r1 export-passphrase=passphrase type=pkcs12
[admin@MikroTik] > /certificate/remove r1-ca
[admin@MikroTik] > /certificate/import file-name="r1-ca.crt" name="r1-ca" passphrase="passphrase"
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

[admin@MikroTik] > /certificate/import file-name="r1.p12" name="r1" passphrase="passphrase"
     certificates-imported: 1
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

[admin@MikroTik] > /caps-man/manager/set ca-certificate=r1-ca certificate=r1 enabled=yes require-peer-certificate=yes
input does not match any value of ca-certificate

Who is online

Users browsing this forum: anav, brunoemmels, gigabyte091, htdbnbj, JesusUve, kub1x, menyarito and 104 guests