Community discussions

 
acaruso
just joined
Topic Author
Posts: 20
Joined: Wed Jan 05, 2011 5:30 pm

Backup and Restore Certificates

Wed Jan 05, 2011 5:44 pm

I'm using RouterOS 4.16 and I have a certificate with its associated private key which isn't protected by a passphrase ( when I imported them I entered a blank passphrase ).
After backing up and restoring, the certifcate appears as if it were encrypted ( /certificate print > starts with a column QR instead of KR )
I executed the command /certificate decrypt ( entering a blank passphrase ) but remains in the same state and so is useless.
Previously I had RouterOS 4.5 version and I hadn't this problem.
Thanks in advance for any help.
Aldo Caruso
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Backup and Restore Certificates

Thu Jan 06, 2011 10:56 am

I would recommend to delete this certificate, copy the certificate and decrypt it.
 
acaruso
just joined
Topic Author
Posts: 20
Joined: Wed Jan 05, 2011 5:30 pm

Re: Backup and Restore Certificates

Thu Jan 06, 2011 5:22 pm

Thanks, it works, but it is a work around to what seems to be a bug.
The problem is that when a restore is done in a new router from a backup of another router ( with the same RouterOS and firmware versions ), private keys are useless because they can't be decrypted.
The only case in which decryption works after a restore is when the backup was done in exactly the same hardware ( as far as I could test )
Does anyone know why ?
Thanks for any help.
Aldo Caruso
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: Backup and Restore Certificates

Fri Jan 07, 2011 8:38 am

The only case in which decryption works after a restore is when the backup was done in exactly the same hardware ( as far as I could test )
Does anyone know why ?
Thanks for any help.
Yes, you are correct. The Mikrotik Wiki has some information about this: http://wiki.mikrotik.com/wiki/Manual:Co ... escription
The restoration procedure assumes the cofiguration is restored on the same router, where the backup file was originally created, so it will create partially broken configuration if the hardware has been changed.
Doug
 
acaruso
just joined
Topic Author
Posts: 20
Joined: Wed Jan 05, 2011 5:30 pm

Re: Backup and Restore Certificates

Fri Jan 07, 2011 2:59 pm

Thanks for your answer. So I assume that the only way to create portable backups ( between different hardware ) is using the export command from the highest level of the tree ( i.e. from / )
The problem is that when I try to import an exported configuration it doesn't work. The router hangs up forever, I can't even boot from RS232 console. I had to hardware reset the router.
Thanks for any clue.
Aldo Caruso
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Backup and Restore Certificates

Mon Jan 10, 2011 11:48 am

acaruso, export is not exporting any decrypted certificate, as well /user passwords are not exported by /export.
 
acaruso
just joined
Topic Author
Posts: 20
Joined: Wed Jan 05, 2011 5:30 pm

Re: Backup and Restore Certificates

Mon Jan 10, 2011 2:56 pm

Thanks for your answer, but my question was another: Why an export done from / fails when it is imported ( it hangs forever ) ?
Aldo Caruso
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: Backup and Restore Certificates

Mon Jan 10, 2011 3:23 pm

Thanks for your answer, but my question was another: Why an export done from / fails when it is imported ( it hangs forever ) ?
Again, the Mikrotik Wiki is a good resource, it covers this as well: http://wiki.mikrotik.com/wiki/Manual:Co ... figuration
Note that it is impossible to import the whole router configuration using this feature. It can only be used to import a part of configuration (for example, firewall rules) in order to spare you some typing.
Doug
 
acaruso
just joined
Topic Author
Posts: 20
Joined: Wed Jan 05, 2011 5:30 pm

Re: Backup and Restore Certificates

Mon Jan 10, 2011 5:53 pm

Thanks, but in that case the conclusion is that it is impossible to backup and restore blindly from one hardware to another even in the case they have exactly the same router os version, because

a) /system backup is only reliable within the same hardware.
b) /export /import is "partial"

When you have many routers in your network and you try to minimize incident response time as a consequence of a hardware failure, having to manually retype router configuration is not an acceptable manteinance procedure.
Aldo Caruso
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: Backup and Restore Certificates

Tue Jan 11, 2011 1:12 am

When you have many routers in your network and you try to minimize incident response time as a consequence of a hardware failure, having to manually retype router configuration is not an acceptable manteinance procedure.
Agreed, maybe I should whip something up ;-)
Doug
 
thomassonm
just joined
Posts: 2
Joined: Wed Sep 22, 2010 4:41 pm

Re: Backup and Restore Certificates

Thu Mar 17, 2011 2:46 pm

Has this issue been resolved? or does anybody have an update on it?

Cheers
Mark
 
acaruso
just joined
Topic Author
Posts: 20
Joined: Wed Jan 05, 2011 5:30 pm

Re: Backup and Restore Certificates

Tue Jul 05, 2011 4:40 am

Hi,

I wonder if this issue is still open.

Thanks,
Aldo Caruso
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Backup and Restore Certificates

Wed Jul 06, 2011 4:38 pm

For security reasons you need to restore (decrypt) certificate separately from backup or import file configuration restore.
 
acaruso
just joined
Topic Author
Posts: 20
Joined: Wed Jan 05, 2011 5:30 pm

Re: Backup and Restore Certificates

Wed Jul 06, 2011 5:29 pm

Please note my post on Jan 6 2011
The only case in which decryption works after a restore is when the backup was done in exactly the same hardware ( as far as I could test )
That's the problem I am trying to solve:
I want to restore from a backup in a brand new harware.
I know the passphrase of the certificate/key saved in the backup.
It doesn't decrypt.
Aldo Caruso
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Backup and Restore Certificates

Thu Jul 07, 2011 2:21 pm

acaruso, upload certificate files to the router (from the "scratch") and decrypt necessary files.
 
acaruso
just joined
Topic Author
Posts: 20
Joined: Wed Jan 05, 2011 5:30 pm

Re: Backup and Restore Certificates

Thu Jul 07, 2011 3:59 pm

Sergej,

I knew that way but it is a work arount to avoid a bug: key decryption doesn't work after restoring a backup, you must have "also" the certificate / key files and import them again.

Regards,
Aldo Caruso
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: Backup and Restore Certificates

Sun Jul 10, 2011 4:40 am

acaruso,
Your private key is bound somehow to either the OS instance, or the hardware it's installed on.

Basically, this means, you cannot decrypt the certificate as it in inaccessible outside RouterOS.
In short, you cannot restore full certificate data across multiple devices, or multiple RouterOS instances.
Doug
 
acaruso
just joined
Topic Author
Posts: 20
Joined: Wed Jan 05, 2011 5:30 pm

Re: Backup and Restore Certificates

Mon Jul 11, 2011 11:32 pm

Doug,

To be clear:

I have routerboard A, with a certificate/key pair, I back it up, I copy the backup to router B ( same model and OS version ), restore the backup, try to decrypt certificate but it fails.

Is this normal behaviour ?

The only "solution" I found is, after restoring, deleting the unencrypted key, copying aside the certificate/key pair, importing them and finally decrypting, but this implies that backup files don't contain everything needed to restore.

So the conclusion is that, in an environment where you have many routers, you must provide your manteinance staff not only with the backups files but also with the cerificate/key pairs.
Aldo Caruso
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Backup and Restore Certificates

Tue Jul 12, 2011 8:04 am

So the conclusion is that, in an environment where you have many routers, you must provide your manteinance staff not only with the backups files but also with the cerificate/key pairs.
Yes, currently it is correct.
 
padrecc
just joined
Posts: 8
Joined: Mon Jan 14, 2013 2:07 am

Re: Backup and Restore Certificates

Mon Jan 14, 2013 2:11 am

I'm on 5.22 and trying to configure nightly conf sync between routers but after it certificates became QR state :(
Both routers are identical RB1200

Any chances to fix it or workaround?
 
hamster
newbie
Posts: 25
Joined: Sun Dec 11, 2016 2:46 pm

Re: Backup and Restore Certificates

Mon Mar 06, 2017 12:20 pm

Is this still the case? I'll have to replace a problematic router with a new one. It will be the same model. I noticed that "/export" doesn't export certificates... Which is a shame, but fine. Will certificates be backed up and restored by "/system backup"? Is "/system backup" even usable if I try to restore it to a different router (but the same model!)?
 
theprojectgroup
just joined
Posts: 7
Joined: Tue Feb 21, 2017 11:40 pm

Re: Backup and Restore Certificates

Fri Aug 16, 2019 12:24 am

Is there a recommended way to backup and restore config including certs & keys?

Who is online

Users browsing this forum: Bing [Bot] and 69 guests