Certificate manager is used to:
- collecting all certificates inside the router;
- manage and create self-signed certificates;
- control and set SCEP-related configuration.;
Starting from RouterOS version 6, certificate validity is shown using local time zone offset. In previous versions, it was UTF.
The general menu is used to manage certificates, add templates, issue certificates and manage SCEP Clients.
Certificate templates are deleted right after the certificate issue or certificate request command is executed:
Let`s print out certificates:
If the CA certificate is removed then all issued certificates in the chain are also removed.
Certificates should be signed. In the following example, we will sign certificates and add CRL URL for the server certificate:
Let`s check is the certificates are signed:
The time of the key signing process depends on the key size of a specific certificate. With values of 4k and higher, it might take a substantial time to sign this specific certificate on less powerful CPU-based devices.
It is possible to export client certificates with keys and CA certificates:
Exported certificates are available under the /file section:
Exporting certificates requires "sensitive" user policy.
To import certificates, certificates must upload to a device using one of the file upload methods.
Certificates are impossible to import using GUI or CLI.
|Name||A certificate name that will be shown in the certificate manager|
|File Name||A file name that will be imported|
|Passphrase||file passphrase if there is such|
Let's Encrypt certificates
Watch our video about this feature.
RouterOS v7 has Let's Encrypt (letsencrypt) certificate support for the 'www-ssl' service. To enable the Let's Encrypt certificate service with automatic certificate renewal, use the 'enable-ssl-certificate' command:
Note that the DNS name must point to the router and port TCP/80 must be available from the WAN. If the dns-name is not specified, it will default to the automatically generated ip cloud name (ie. http://example.sn.mynetname.net)
SCEP is using HTTP protocol and base64 encoded GET requests. Most of the requests are without authentication and cipher, however, important ones can be protected if necessary (ciphered or signed using a received public key).
SCEP client in RouterOS will:
- get CA certificate from CA server or RA (if used);
- user should compare the fingerprint of the CA certificate or if it comes from the right server;
- generate a self-signed certificate with a temporary key;
- send a certificate request to the server;
- if the server responds with status x, then the client keeps requesting until the server sends an error or approval.
The SCEP server supports the issuance of one certificate only. RouterOS supports also renew and next-ca options:
- renew - the possibility to renew the old certificate automatically with the same CA.
- next-ca - possibility to change the current CA certificate to the new one.
The client polls the server for any changes, if the server advertises that the next-ca is available, then the client may request the next CA or wait until CA almost expires and then request the next-ca.
The RouterOS client by default will try to use POST, AES, and SHA256 if the server advertises that. If the above algorithms are not supported, then the client will try to use 3DES, DES and SHA1, MD5.
SCEP certificates are renewed when 3/4 of their validity time has passed.