Community discussions

MikroTik App
 
G3nNn3TiC
just joined
Topic Author
Posts: 5
Joined: Thu Feb 04, 2021 3:17 pm

Certificates after restore backup

Mon Jan 09, 2023 12:35 pm

Hi.

I have two same routers (CCR1016), one of these is configured and that contains OVPN settings and certificates, I will to set second router same at first, but after restore backup OVPN connection not working, after run rsc from first router and import certificates, OVPN not working. What is the right way for this? When I import the CA, Server and user certificate the CA column is blank and they are flagged only with K, not with KI... When restore the backup, certificates is flagged only with "I" but not with KI... Can you help me how to move all certificates from one to other router and to working it?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Certificates after restore backup

Mon Jan 09, 2023 3:03 pm

As already written a million times everywhere, the backup is to restore the configuration on the same router, not to copy the configuration elsewhere.

An export (.rsc) and other things must be done to copy everything from one router to another, paying attention to not duplicate MAC addresses and IPs...

viewtopic.php?p=858564#p858564
Last edited by rextended on Mon Jan 09, 2023 3:04 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Certificates after restore backup

Mon Jan 09, 2023 3:03 pm

You cannot restore the backup of one router on another router. That will cause big mayhem.
Reset the router to defaults and build it using import.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Certificates after restore backup

Mon Jan 09, 2023 3:06 pm

[...] When I import the CA, Server and user certificate the CA [...]
And about of CA... another device can't be the same CA, that's how CA was designed to work like this everywhere...
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Certificates after restore backup

Mon Jan 09, 2023 3:10 pm

Whilst the certificates and keys are stored in the .backup they will only be fully restored on the original hardware. The keys will not be restored on other hardware, even if it an identical model. (Whilst restoring a .backup on other devices is not officially supported it mostly works - you can reset the interface MAC addresses to use those of the new hardware, update any explicit MAC addresses on bridges and L2 tunnel interfaces, generate a new SSH host key, etc. if desired. For any certificates with private keys you have to delete those restored then import the certificate and key, certificates without private keys are OK.)

The approved method is to first import any certificates and private keys, changing the certificate store names to match those on the original device, then import the .rsc configuration.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Certificates after restore backup

Mon Jan 09, 2023 4:36 pm

[...] When I import the CA, Server and user certificate the CA [...]
And about of CA... another device can't be the same CA, that's how CA was designed to work like this everywhere...
That is of course not correct. It may behave like that when you use a "simple" system where the router generates all your certificates, but when you do a well-planed certificate rollout you will generate the CA externally and import it everywhere, so everyone can generate mutually compatible certificates.
 
G3nNn3TiC
just joined
Topic Author
Posts: 5
Joined: Thu Feb 04, 2021 3:17 pm

Re: Certificates after restore backup

Tue Jan 10, 2023 3:28 pm

Thank you all, I will try these methods and reply how it works.
 
G3nNn3TiC
just joined
Topic Author
Posts: 5
Joined: Thu Feb 04, 2021 3:17 pm

Re: Certificates after restore backup

Mon Jan 23, 2023 9:51 am

I tried to configure backup router, used .rsc from primary router, imported only one cert for test from primary router, and again it is not working, I tried so much different methods from forum and internet but it is not woking, export certificate from one router to other with same config is not working, I think certs is working only on router where the cert is signed...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Certificates after restore backup

Mon Jan 23, 2023 10:13 am

Already wroted, if just you read...
[...] When I import the CA, Server and user certificate the CA [...]
And about of CA... another device can't be the same CA, that's how CA was designed to work like this everywhere...
 
G3nNn3TiC
just joined
Topic Author
Posts: 5
Joined: Thu Feb 04, 2021 3:17 pm

Re: Certificates after restore backup

Mon Jan 23, 2023 11:23 am

Already wroted, if just you read...
And about of CA... another device can't be the same CA, that's how CA was designed to work like this everywhere...
I know, I just wanted to make sure and give it a try
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Certificates after restore backup

Mon Jan 23, 2023 1:36 pm

To expand on post #6 you can import a CA and any intermediates generated elsewhere plus the server certificate and key. The CA and any intermediates should have the T flag, the server certificate should have the T & K flags.

You can't duplicate the inbuilt certificate generation from one Mikrotik on another.

Who is online

Users browsing this forum: Bing [Bot], Rox169 and 81 guests